Whitehat Developer Rescues $2 Million Stuck in 2016 ICO Smart Contract
A blockchain developer known as Florent has successfully recovered approximately 1,003 ETH, worth around $2 million. The funds had been trapped for nine years inside a 2016 Initial Coin Offering (ICO) smart contract belonging to HongCoin, also known as “The HONG.”
The Glitch That Locked the Funds
HongCoin was originally launched in 2016 as a community-run investment fund. The token sale missed its funding target, which should have triggered automatic refunds for investors.
However, a code bug broke the refund mechanism. Years of partial refunds caused a global counter to drop too low, capping maximum refunds at a tiny fraction of what investors actually owned and freezing the rest.
Exploiting an Old Smart Contract Vulnerability
The contract was written in an early version of the Solidity programming language. Crucially, it lacked modern protection against overflow errors—a vulnerability later fixed by the industry-standard SafeMath library.
Florent discovered that the project’s admin function could be triggered with a highly specific input value. Because of the missing overflow protection, this specific input reset a blocked user’s token balance to 1. This reset allowed the contract’s safety checks to pass and release the trapped Ethereum.
A Coordinated Whitehat Recovery
This process was a legal whitehat rescue, not a malicious hack. The admin function required approval from HongCoin’s multi-signature wallet.
The recovery process moved quickly:
- Florent contacted the HongCoin team with his findings.
- He simulated and verified the fix using a mainnet fork on Foundry.
- The team signed 41 individual transactions to unfreeze the blocked accounts.
- The entire operation took just one week from the initial email.
Investors Reclaim Funds Without Mandatory Fees
The fix allows 48 original investors to finally claim their long-lost crypto. So far, two investors have retrieved a combined 96.5 ETH, worth roughly $193,000.
Florent did not charge a fee, commission, or cut for his work, citing curiosity as his main driver. However, the grateful investors have already sent him voluntary whitehat rewards.
Malicious hackers likely ignored this contract for years because it lacked an ownership flaw. The code only allowed funds to be sent back to the original investors, leaving nothing for a thief to steal.
Using AI to Scan for Trapped Crypto
Florent uncovered this contract using a self-hosted Ethereum node and a custom scanner designed to flag any contract holding over 100 ETH.
While he utilized an AI tool called Claude Code to speed up data sorting and contract clustering, he noted that AI models still struggle with deep smart contract analysis. According to Florent, AI tends to assume an old contract is uncrackable simply because other developers failed to find a solution in the past.
