White-hat hacker recovers 1,003 ETH from decade-old ICO contract flaw

A pseudonymous security researcher recovered about 1,003 Ether, valued at roughly $2 million, from a 2016 Hong Coin ICO smart contract where a refund function bug had trapped investor funds for nearly a decade.

"The contract held all the investors' ETH and was supposed to auto-refund them. However, a bug in the refund function quietly broke that, and the funds got stuck," 0xflorent, the white-hat hacker who executed the recovery, said in a post on X on Sunday.

The Hong Coin ICO ran from Aug. 29 to Oct. 28, 2016, offering 250 million HONG tokens across five stages as part of a community-driven venture capital fund governed by a decentralized autonomous organization. When the project failed to meet its fundraising target, the smart contract was designed to automatically return contributions to 48 investors. A flaw in the refund mechanism — an integer overflow vulnerability in an admin function — prevented those refunds from processing, leaving the Ether frozen on-chain.

The recovery required collaboration with the original Hong Coin team. 0xflorent identified that an admin function with an integer overflow bug could reset token holder balances when invoked with a specific input value, unblocking the refund check. Because the function required authorization from the team's multisignature wallet, 0xflorent contacted the developers, validated the fix on a test network, and the team approved 41 transactions — one for each affected investor whose balance needed adjustment. Seven investors held sufficiently small amounts to receive direct refunds without the workaround.

On-chain data from Etherscan confirms refunds have begun reaching investors. One participant received 96 ETH, worth about $192,500 at current prices, while another was refunded 0.5 ETH. Both voluntarily compensated 0xflorent with white-hat rewards, though no payment was required. "There were no fees, no cut, no commission," 0xflorent said.

The Hong Coin recovery is not an isolated case. On May 24, 0xflorent reported recovering 19.33 ETH from two separate legacy contracts — a failed ICO from January 2018 and a Liquality Wallet user whose funds were trapped in an expired cross-chain atomic swap. The researcher said he deployed his own Ethereum node and built a scanning tool to identify contracts holding more than 100 ETH, then systematically reviewed candidates for exploitable weaknesses. He used Claude Code to assist with sorting and categorizing contracts, though he noted the AI platform has limitations when analyzing smart contract security flaws directly.

The episode highlights the latent risk embedded in ICO-era smart contracts, many of which were built on outdated versions of Solidity that lacked safeguards such as SafeMath against integer overflow vulnerabilities. While blockchain records are permanent, access to locked assets can remain impossible without identifying and exploiting code-level flaws. The case also demonstrates a model for responsible remediation: white-hat intervention coordinated with original developers, rather than hostile exploitation, can unlock stranded value without destabilizing the broader ecosystem.

For the crypto industry, the Hong Coin recovery raises practical questions about how many similar dormant contracts still hold trapped funds and what standards should govern retroactive recoveries. 0xflorent expressed hope that more security researchers would pursue this path. "It's more rewarding morally, and it can also pay well," he said.

This article is for informational purposes only and does not constitute investment advice.