A developer known as Florent recovered approximately 1,003 ETH, worth roughly $2 million at current prices, from a 2016 HongCoin initial coin offering contract where the funds had been trapped for nine years. The Ethereum token sale was designed to auto-refund investors after falling short of its fundraising goal, but a programming bug prevented the refund function from executing for holders with balances exceeding a depleted global counter. Florent exploited an overflow vulnerability in the contract's admin function, working with the HongCoin team over about a week to unlock the funds for 48 original investors. The recovery demonstrates how early smart contract vulnerabilities from the pre-SafeMath era continue to lock value on-chain.
Overflow Vulnerability Blocked Refunds for Nine Years
The HongCoin contract, pitched in 2016 as a community-run investment fund, contained a refund mechanism that rejected any token holder whose balance exceeded a global counter variable. Years of partial refunds reduced that counter to 356, capping total refunds at 3.56 ETH (approximately $7,000), while most remaining holders held far larger amounts.
Florent told The Block the contract was deployed with an old version of the Solidity programming language that lacked protections against overflow errors. In such errors, a number that reaches a sufficiently high value resets to 0 or 1, a vulnerability later addressed by the SafeMath library.
The developer identified a workaround through the team's admin function, originally designed to mint bounty tokens for specific events. Calling this function with a precise input value reset a holder's balance to 1, allowing the refund check to pass and releasing the locked ETH.
Team Cooperation Enabled Whitehat Unlock Process
The admin function was restricted to HongCoin's multisig wallet, preventing unilateral action. Florent emailed the team, validated the transaction sequence on a Foundry mainnet fork, and the team signed the unlock transactions. The process took about a week from the initial email, according to Florent.
Of the 48 original investors who can now claim funds, 41 required the balance reset exploit. The remaining seven held amounts small enough to refund directly through the existing function. The team signed 41 transactions, one per blocked holder, covering the approximately 1,000 ETH that was genuinely stuck.
Two investors have reclaimed a combined 96.5 ETH (approximately $193,000) and voluntarily sent Florent a whitehat reward. Florent told The Block there were no fees, cuts, or commissions involved. "Outside of the team itself, no one really had an incentive to dig into the contract that closely," Florent said. "There was no ownership flaw that would let someone steal the funds for themselves, so for a hacker there was nothing to gain; the only outcome of any exploit is the ETH going back to the original investors."
Developer Previously Freed 19.329 ETH from Failed Contracts
On Sunday, May 24, Florent described recovering 19.329 ETH, about $40,590, from two older contracts. The first was a failed January 2018 ICO holding 5.141 ETH behind an uncalled public refund function. The second involved a Liquality Wallet user's seven expired atomic swaps totaling 14.190 ETH, which Florent refunded on the user's behalf after Liquality shut down its app in 2024.
Scanner Methodology Identifies High-Value Stuck Contracts
Florent said he recently set up a self-hosted Ethereum node and built a scanner to flag every contract holding more than 100 ETH, then worked through candidates. "A lot of contracts are forks of other contracts, so a flaw in one is the same flaw in all the others within the cluster," Florent said. "That said, the big well-known clusters have already been combed through pretty thoroughly."
When asked about AI assistance, Florent said he used Claude Code to accelerate sorting and clustering contracts but found limitations in smart contract analysis. "The AI is often biased by the fact that the contract hasn't been cracked before and that previous people couldn't find a way through ... so it often defaults to 'this is uncrackable, I tried everything,' which is frequently false."
The recovery occurs amid a wave of DeFi exploits. Attacks totaled hundreds of millions of dollars across April alone, led by a roughly $293 million drain at Kelp DAO. A co-founder of security firm OpenZeppelin recently stated he considers all of DeFi unsafe. Some exploits have ended in whitehat recoveries or voluntary returns, as in Euler Finance's near-total recovery after its 2023 exploit.
"There's been a clear resurgence of hackers on protocols lately, and DeFi is becoming a complicated space to invest in," Florent said. "I'd love to see a counter-movement of people who try to protect things rather than exploiting them. It's more rewarding morally, and it can also pay well."
FAQ
What caused the HongCoin ICO funds to remain locked for nine years?
A programming bug in the 2016 HongCoin contract's refund function rejected any holder whose token balance exceeded a global counter variable. Years of partial refunds reduced that counter to 356, preventing refunds for holders with larger balances while the contract lacked overflow protections standard in later Solidity versions.
How did Florent unlock the trapped ETH without stealing it?
Florent identified an admin function originally meant to mint bounty tokens. By calling it with a specific input value, he could reset a holder's balance to 1 due to an overflow vulnerability, allowing the refund check to pass. The admin function required HongCoin team signatures, so Florent coordinated with the team over about a week to execute 41 unlock transactions for blocked investors.
How much ETH has Florent recovered from old contracts?
Florent recovered approximately 1,003 ETH (roughly $2 million) from the HongCoin contract. On Sunday, May 24, he described freeing an additional 19.329 ETH (about $40,590) from two other contracts: a failed January 2018 ICO with 5.141 ETH and seven expired Liquality Wallet atomic swaps totaling 14.190 ETH.
