A safety researcher named 0xflorent labored with the staff behind Ethereum in 2016 ($ETH) ICO deal unlocks practically $2 million in Ether that was locked away for 9 years in a coordinated white-hat restoration that exploited an integer overflow flaw that was not patched by the unique developer.
This contract belongs to HongCoin, which was imagined to robotically refund Ethereum to buyers after failing to satisfy its fundraising objective throughout a token sale in 2016, however a bug within the refund operate prevented the refund from occurring.
Path 0xflorent unfrozen 1,003.62 $ETH48 unique buyers are at the moment eligible to assert. Two individuals did this and bought a complete of 96.5. $ETH It is price about $193,000, he mentioned on Sunday’s X Thread.
First White Hat Exploit on Ethereum: 1,003.62 unlocked
Ξ ($2,000,000) Trapped in an ICO Good Contract in 2016
9 years.The unique 48 buyers can now declare their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) Could 31, 2026
The contract’s refund logic meant that holders whose token steadiness exceeded a worldwide counter of 356 after years of partial refunds have been rejected, with a cap on additional refunds of three.56. $ETH.
0xflorent found that HongCoin’s multisig wallet-limited on-contract administration performance lacked integer overflow safety that was later integrated into the Solidity programming language. When known as with particular enter values, the holder’s steadiness will likely be reset to 1, the refund verify will cross, and the funds will likely be launched.
Nonetheless, this restoration was not a one-sided exploitation. Since HongCoin multisig was required to carry out administrative features, 0xflorent despatched an e mail to the staff to confirm the unlock sequence on a take a look at fork of Ethereum’s mainnet, and the staff itself signed the unlock transaction.
We signed 41 transactions, one for every blocked proprietor, and launched roughly 1,000 transactions. $ETH It was actually caught. One other seven holders had balances sufficiently small to be refunded straight with none workarounds.
That is the second time up to now eight days that 0xflorent has introduced such a restoration.
On Could 24, he mentioned he returned $19.329. $ETHprice roughly $40,590 to the unique proprietor, together with $5,141 $ETH From the failed January 2018 ICO and 14.190 $ETH It arose from seven expired atomic swaps inside Liquality pockets consumer accounts that turned inaccessible after the pockets closure in 2024.
This restoration has landed throughout a time of huge DeFi exploits, with lots of of thousands and thousands of {dollars} leaked throughout protocols in April alone, led by a roughly $293 million hit to the Kelp DAO.
