Summary
- A whitehat developer has successfully retrieved $2 million in ETH that has been locked since the 2016 ICO of HongCoin.
- The HongCoin team implemented the developer's solution to release refunds that were previously blocked due to a bug in the smart contract.
- Such recoveries are infrequent but could reveal hidden value, according to insights from Decrypt.
An Ethereum developer managed to recover over 1,000 ETH, equivalent to approximately $2 million, from a failed crypto initiative dating back to 2016, freeing funds that had been entangled in an outdated smart contract for nearly a decade.
In a tweet on Sunday, the developer, known as 0xFlorent_, explained that the ICO contract for HongCoin was intended to issue refunds to investors after the project failed to meet its funding objectives. However, a bug hindered the refund process, leaving the ETH inaccessible.
First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) May 31, 2026
Initial Coin Offerings, or ICOs, were a prevalent method for crypto projects to secure funding during the early days of Ethereum. Investors exchanged ETH for tokens linked to projects that were often still in development.
0xFlorent_ discovered a method to enable HongCoin’s outdated contract to identify previously blocked investors and release their refunds. This recovery involved 48 investors, and he provided Etherscan records as on-chain verification of the contract and the unlocked wallet.
Previously, the contract had utilized an incorrect number to determine which investors were eligible for refunds. The developer's solution rectified this for each affected holder, leading to HongCoin’s team executing 41 unlock transactions.
A whitehat like 0xFlorent_ is a security expert or developer who identifies vulnerabilities to protect systems or recover funds rather than exploit them.
This recovery takes place amid a rise in attacks targeting the decentralized finance sector, which has seen losses exceeding $840 million in just the first five months of 2026, with April alone accounting for over $600 million in stolen assets.
Uncommon Recovery
As smart contracts can remain operational long after projects have ceased, prior errors can result in funds being frozen for extended periods. The recovery of funds from HongCoin indicates that some of these assets may still be retrievable if the original team can be contacted and the contract allows for access.
However, such recoveries are still considered "rare" and do not imply that large sums of lost funds can be easily retrieved, remarked Andy Yajin Zhou, an associate professor at the Chinese University of Hong Kong and co-founder of the on-chain security firm BlockSec, in a statement to Decrypt.
“The recovery was feasible because the contract contained a vulnerability that permitted a whitehat developer to safely extract and restore the funds,” Zhou noted. “Regrettably, we cannot assume that older Ethereum contracts generally possess similar vulnerabilities.”
Funds may remain locked due to "lost keys or irreversible contract logic," Zhou added, emphasizing that no dependable estimate exists regarding the total amount of ETH permanently trapped in older contracts.
Nevertheless, this case suggests that some assets previously deemed "lost" might still be accessible, illustrating that smart contracts are not necessarily “dead ends,” according to Dominick John, an analyst at Zeus Research, who spoke with Decrypt.
Enhanced security research and blockchain technology could facilitate the recovery of more stranded assets from outdated on-chain systems, potentially revealing "dormant value" while highlighting the “limitations” inherent in earlier smart contract designs, he concluded.