A security researcher known as 0xflorent freed 1,003.62 ETH — roughly $2 million — that had sat locked inside a 2016 Ethereum ICO contract for nine years, exploiting an integer-overflow flaw with the original team's cooperation and without touching a single dollar that wasn't his to move.
The contract belongs to HongCoin, a token sale that ran in 2016 and fell short of its funding goal. Under the contract's design, investors who didn't get their money back were supposed to receive automatic refunds. They never did. The refund function contained a bug that quietly made most payouts impossible, and for nine years 48 original investors had no way to retrieve their ether.
0xflorent posted the details in an X thread on May 31, 2026.
The bug. The contract's refund logic checked a holder's token balance against a global counter. That counter started high but was eroded by years of partial payouts until it reached 356 — meaning the contract would only process a refund for a holder with fewer than 356 tokens, capping any single payout at 3.56 ETH. Anyone above that threshold was silently locked out.
The exploitable entry point was an admin function the original HongCoin developers had never locked down with a modifier. The function predated Solidity's built-in integer-overflow protections. Calling it with a precise input value wrapped the arithmetic and reset a holder's balance to 1 — low enough to clear the refund check. One call per holder, and the funds flowed.
Why it took cooperation. The admin function was restricted to HongCoin's multisig wallet, which meant 0xflorent couldn't execute the fix unilaterally even if he had wanted to. He emailed the team, walked them through the mechanics, then validated the entire unlock sequence on a test fork of Ethereum mainnet before anyone touched production. Once the team confirmed the approach was safe, HongCoin's multisig signed 41 unlock transactions — one for each holder whose balance was too high to clear the counter. Seven holders with small enough balances could be refunded directly without the workaround.
The result: 1,003.62 ETH freed, 48 investors now eligible to claim. As of 0xflorent's announcement, two had done so, retrieving a combined 96.5 ETH worth approximately $193,000.
A pattern forming. This is the second recovery 0xflorent has publicized in eight days. On May 24 he announced the return of 19.329 ETH to its original owners: 5.141 ETH from a failed January 2018 ICO, and 14.190 ETH from seven expired atomic swaps inside a Liquality Wallet user account that had become inaccessible after the wallet shut down in 2024. That recovery totaled roughly $40,590 at current prices.
The two cases share a model — patient forensic work on contracts that most of the industry has long since stopped watching, followed by coordinated disclosure rather than a unilateral move — but the HongCoin case is an order of magnitude larger and marks what 0xflorent described in his thread as the first whitehat exploit on Ethereum to recover funds from a 2016-era ICO contract.
The broader context. The recovery lands in the middle of the worst run of DeFi exploits in recent memory. April saw hundreds of millions drained across protocols, with KelpDAO losing approximately $293 million and Drift approximately $285 million. Against that backdrop, a story of funds recovered rather than stolen, and recovered through a process that required a hacker and a 9-year-old project team to sit on the same side of the table, reads as something close to anomalous.
The cooperative structure matters beyond the optics. Because HongCoin's multisig held the required permissions and the researcher held the technical knowledge, neither party could have completed the recovery alone. The 41 co-signed transactions that freed the ether are the on-chain record of that dependency. It is a template that stands in direct contrast to the extract-first governance attacks that have defined recent months.
The HongCoin contract source code remains public on GitHub. 0xflorent's X thread, posted at approximately 6:52 AM UTC on June 1, 2026 per CoinDesk's coverage timestamp, includes the technical breakdown of the overflow and the transaction sequence.
The remaining 46 investors have not yet claimed. Whether they are still reachable — or even aware their funds have been unlocked — is the open question.
Primary source: 0xflorent's X thread, May 31, 2026 — https://x.com/0xFlorent_/status/2061070356564091258. CoinDesk reporting: June 1, 2026, 6:52 AM UTC — https://www.coindesk.com/tech/2026/06/01/whitehat-developer-unlocks-usd2-million-stuck-in-a-2016-ethereum-ico-contract-for-nine-years. HongCoin contract: https://github.com/hongcoin/DO.