A developer known as Florent says he helped recover about 1,003 ETH, worth roughly $2 million at current prices, that had sat trapped in a 2016 initial coin offering (ICO) contract for nine years. The contract belongs to HongCoin, also written as “The HONG,” an Ethereum token sale from 2016 that was pitched as a community-run investment fund.
In an X thread posted early Sunday, Florent, who describes themselves as a security researcher, said the sale fell short of its goal and was meant to auto-refund investors’ ETH, but a bug left the money stuck. The refund function rejected any holder whose token balance was larger than a global counter, Florent told The Block in a written interview. Years of partial refunds had dragged that counter down to 356, capping total refunds at 3.56 ETH (~$7,000), while most remaining holders held far more.
Since the contract was deployed with an old version of the Solidity programming language, Florent said, the contract did not have protections against overflowing errors, in which a number that gets high enough eventually resets to 0 or 1, a vulnerability that was patched later with the SafeMath library. “The way around was the team’s own admin function, one that was meant to mint bounty tokens from specific events,” Florent said. “Because of the missing overflow protection, calling it with a very specific input value would reset a holder’s balance back to 1, and from there the refund check passes and the ETH gets released.”
Florent said the move was not a unilateral hack. The admin function was restricted to HongCoin’s multisig, so he emailed the team, validated the sequence on a Foundry mainnet fork, and the team signed the unlock transactions itself. The process took about a week from the first email, he said. By his accounting, 48 original investors can now claim the unfrozen funds, but only 41 needed the balance reset; the other seven held small enough amounts to refund directly. The team signed 41 transactions, one per blocked holder, covering the roughly 1,000 ETH that was truly stuck.
Two investors have reclaimed a combined 96.5 ETH (~$193,000) so far and voluntarily sent Florent a “whitehat reward,” the researcher said, though nothing obligates anyone to pay. “There were no fees, no cut, no commission,” he told The Block, describing the motivation as curiosity and learning how old contracts work. “Outside of the team itself, no one really had an incentive to dig into the contract that closely,” Florent said. “There was no ownership flaw that would let someone steal the funds for themselves, so for a hacker there was nothing to gain; the only outcome of any exploit is the ETH going back to the original investors.”
It is not his first such recovery. On Sunday, May 24, Florent described freeing 19.329 ETH, about $40,590, from two older contracts: a failed January 2018 ICO with 5.141 ETH behind an uncalled public refund function, and a Liquality Wallet user’s seven expired atomic swaps totaling 14.190 ETH, which he said he refunded on the user’s behalf after Liquality wound down its app in 2024.
On methodology, Florent said he recently set up a self-hosted Ethereum node and built a scanner to flag every contract holding more than 100 ETH, then worked through candidates. “A lot of contracts are forks of other contracts, so a flaw in one is the same flaw in all the others within the cluster,” Florent said. “That said, the big well-known clusters have already been combed through pretty thoroughly.”
When asked whether he used AI to help in the recovery, Florent said he used Claude Code to accelerate the work in sorting and clustering contracts but the model has its flaws when it comes to analyzing the smart contracts themselves. “The AI is often biased by the fact that the contract hasn’t been cracked before and that previous people couldn’t find a way through … so it often defaults to ‘this is uncrackable, I tried everything,’ which is frequently false.”
The recovery comes during a heavy run of DeFi exploits. Attacks totaled hundreds of millions of dollars across April alone, led by a roughly $293 million drain at Kelp DAO. A co-founder of security firm OpenZeppelin recently said he considers “all of DeFi” unsafe. These episodes sometimes end in whitehat recoveries or voluntary returns, as in Euler Finance’s near-total recovery after its 2023 exploit.
“There’s been a clear resurgence of hackers on protocols lately, and DeFi is becoming a complicated space to invest in,” Florent said. “I’d love to see a counter-movement of people who try to protect things rather than exploiting them. It’s more rewarding morally, and it can also pay well.”
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures. © 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
[The Block]
Executive Summary (TL;DR)
The recovery of $2M trapped in a 2016 ICO contract highlights systemic vulnerabilities in early smart contracts that remain undiscovered years later, while demonstrating the growing value of ethical security research in an increasingly hostile DeFi landscape.
The Core Friction
This isn’t just about one lucky researcher finding an old bug. It reflects a fundamental tension in crypto: the irreversible nature of blockchain code combined with human error in implementation. Early Ethereum contracts, written before security best practices like SafeMath were standard, created time bombs that are now being discovered as their value increases. What we’re witnessing is the maturation of security research from reactive patching to proactive treasure hunting, driven by both moral incentives and the potential rewards of uncovering forgotten exploits. The fact that Florent had to manually contact the team and validate the process on a fork indicates how governance failures compound technical vulnerabilities.
Market Impact & Chain Reaction
Short-term
This incident puts renewed focus on legacy protocols and forgotten ICOs, potentially creating trading opportunities around similar vulnerable contracts. The HongCoin token itself may see speculative interest, though its minimal market cap makes it irrelevant to broader markets. More significantly, we may see increased scrutiny of other 2016-2018 era contracts that haven’t undergone proper audits.
Mid-term
This validates the business model of security researchers like Florent who specialize in “contract archaeology.” We can expect more dedicated scanners targeting older contracts, with potentially similar recoveries becoming more common. For the industry, this presents a dilemma: should there be standardized processes for managing or decommissioning failed projects, or is this “digital archaeology” a valuable use of security resources? The contrast between these recoveries and recent multi-million dollar DeFi hacks suggests we’re entering a bifurcated security landscape where older vulnerabilities are being cleaned up even as new, more complex ones emerge.
RichSilo Verdict
Smart money should position to benefit from the convergence of security research and blockchain forensics. Opportunities exist in: 1) Supporting platforms that track and analyze old contracts, 2) Investing in security firms that specialize in historical vulnerability discovery, and 3) Being prepared for potential waves of similar recoveries that could unlock significant value trapped in failed projects. The real story isn’t the $2M recovered, but the signal it sends about the massive amount of value still potentially vulnerable in early blockchain code.
