Loading prices…
🔥BULLISH

Whitehat Unlocks $2M in ETH From 2016 ICO Contract

The 0xflorent recovery is technically a rescue, structurally an audit failure: an unpatched Solidity integer-overflow bug from the pre-EIP-214 era was sitting in a multisig-gated admin function for…

Whitehat Unlocks $2M in ETH From 2016 ICO Contract
Whitehat Unlocks $2M in ETH From 2016 ICO Contract
Whitehat Unlocks $2M in ETH From 2016 ICO Contract
Whitehat Unlocks $2M in ETH From 2016 ICO Contract

A security researcher known as 0xflorent coordinated with the team behind HongCoin — a 2016 Ethereum ICO that fell short of its funding goal — to unfreeze roughly 1,003.62 ETH, worth about $2 million, that had been locked in the token sale's smart contract for nine years. The exploit targeted an integer-overflow flaw in an admin function that the original developers never patched, even as Solidity itself later added the protections needed to block it.

The bug had silently capped refunds at 3.56 ETH for years. The contract's refund logic rejected any holder whose token balance exceeded a global counter that partial refunds had dragged down to 356, blocking 48 original investors from withdrawing their share. By calling the admin function with a specific input value, 0xflorent reset a holder's balance to one, allowing the refund check to pass. Because the admin function was gated by HongCoin's multisig, he emailed the team, validated the unlock sequence on a test fork of Ethereum mainnet, and let the team sign the 41 transactions itself.

Why it matters

The recovery is a reminder of how long pre-Solidity-0.8 contracts can sit on mainnet with known, unfixed vulnerabilities. Integer overflows were a default behaviour of the language until the 0.8 compiler series forced checked arithmetic — any contract deployed before that hardening window is, in theory, a candidate for the same audit pass. 0xflorent has now publicised two such rescues in eight days: the HongCoin unlock on May 31 and, on May 24, the return of 19.329 ETH (about $40,590) tied to a failed January 2018 ICO and seven expired atomic swaps in a Liquality Wallet account that had been stranded since the wallet shut down in 2024.

The multisig-gated nature of the recovery is what separates it from the exploit headlines — the team consented, the unlock was signed by the original keyholders, and the funds stayed with the parties they were owed. That distinction matters as DeFi losses pile up: April alone saw hundreds of millions drained across protocols, headlined by a roughly $293 million hit on Kelp DAO.

Related tokens
$ETH

Frequently asked questions

  1. Who is 0xflorent and what did he recover?

    0xflorent is a security researcher who coordinated with the HongCoin team to unfreeze about 1,003.62 ETH (~$2M) trapped in a 2016 Ethereum ICO contract for nine years, using an unpatched integer-overflow flaw in the contract's admin function.

  2. How was the HongCoin refund bug fixed without breaking the contract?

    0xflorent called the contract's multisig-gated admin function with a value that triggered an integer overflow, resetting a holder's token balance to one and allowing the broken refund check (capped at 3.56 ETH) to pass. The HongCoin multisig signed all 41 unlock transactions themselves.

  3. How many original investors can claim and how much has been claimed so far?

    48 original HongCoin investors are now eligible to reclaim funds. As of 0xflorent's May 31 X thread, two had already claimed a combined 96.5 ETH, worth roughly $193,000.

  4. Is this the first time 0xflorent has recovered stranded crypto?

    No — on May 24 he publicised the return of 19.329 ETH (~$40,590), including 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from seven expired atomic swaps in a Liquality Wallet account stranded since the wallet shut down in 2024.

  5. Why does this recovery matter beyond the $2M figure?

    It highlights a finite population of pre-Solidity-0.8 contracts on mainnet still vulnerable to integer overflows, and shows a cooperative whitehat playbook — multisig consent, team-signed transactions, funds returned to original owners — that contrasts with the DeFi exploit cycle that drained hundreds of millions,…

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 45d ago
Open original →