Whitehat recovery unlocks $2M from 2016 Ethereum ICO contract
A whitehat security researcher (0xflorent) helped unlock about 1,003.62 ETH (≈$2M) trapped in the 2016 HongCoin Ethereum ICO smart contract after nearly 9 years. The recovery was driven by an unpatched integer-overflow flaw in an admin function and was coordinated with HongCoin’s multisig wallet holders.
The Ethereum ICO refund logic had a broken cap. It rejected refund claims once a holder’s token balance exceeded a global counter affected by years of partial refunds, effectively capping larger payouts at about 3.56 ETH. By calling the admin function with a specific input, the team reset targeted balances to enable the refund check to pass—after validating the sequence on a test fork and signing 41 unlock transactions (one per blocked holder). Another seven holders could claim normally without the workaround.
Result: 48 original investors became eligible. Two investors have already withdrawn a combined 96.5 ETH (≈$193k). This is the second major Ethereum ICO contract recovery 0xflorent disclosed in eight days (after a prior return of 19.329 ETH). Traders should treat the immediate price impact on ETH as limited, but the event reinforces ongoing smart-contract and refund-mechanism risk in legacy ICO code.
Neutral
This is a legacy Ethereum ICO contract refund unlock. The total value (~$2M) and the mechanics are refund-specific, not a new token launch or protocol upgrade. That makes the direct price impact on ETH likely limited. However, the event reinforces smart-contract risk awareness: once again, an unpatched bug in refund logic can lock and later release funds, which can matter for sentiment and for traders monitoring contract security and old liquidity/escrow unlocks. In the bigger market context, the article notes ongoing DeFi exploits elsewhere, which is more likely to drive broader risk appetite than this single refund event.