0xflorent, a security expert, identified an integer-overflow vulnerability in the HongCoin token sale contract, enabling the team to release funds for 48 initial investors. This marks the second recovery he has announced in just eight days.
By Shaurya Malwa Jun 1, 2026, 6:52 a.m. 2 min readMake preferred onKey Details:
- Security researcher 0xflorent assisted the HongCoin team in unlocking approximately 1,003.62 ETH, valued at around $2 million, that had been inaccessible due to a smart contract issue for nine years.
- By collaborating with the multisig wallet holders of HongCoin, he exploited an uncorrected integer-overflow flaw in an admin function to reset token balances and circumvent a faulty refund cap that had restricted larger withdrawals.
- This recovery allows 48 original investors to reclaim their funds and follows another recent recovery by 0xflorent, amid a series of significant DeFi exploits that have drained millions from crypto protocols.
In a notable intervention, a security researcher known as 0xflorent worked with the HongCoin team to liberate around $2 million in ether that had been stuck for nine years due to a flaw in the contract’s design.
The smart contract in question belongs to HongCoin, which was part of a 2016 token sale that did not meet its funding target and was intended to automatically refund investors, but failed because of a defect in the refund mechanism.
Thanks to 0xflorent's efforts, 1,003.62 ETH has been unfrozen, making it possible for 48 original investors to claim their funds. So far, two investors have successfully retrieved a total of 96.5 ETH, equivalent to about $193,000, he reported in a thread on X.
First white-hat exploit on Ethereum: I unlocked 1,003.62
— 0xflorent.eth (@0xFlorent_) May 31, 2026
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.
The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
The refund logic in the contract had rejected any holder whose token balance surpassed a global counter that had been diminished to 356 through years of partial refunds, limiting further refunds to just 3.56 ETH.
0xflorent discovered that the admin function, accessible only to HongCoin's multisig wallet, lacked the integer-overflow safeguards that were later integrated into the Solidity programming language. By calling this function with a specific input, it was possible to reset a holder's balance to one, thus allowing the refund process to succeed and releasing the funds.
However, this recovery was not a one-sided exploit. The admin function required execution by HongCoin's multisig team, so 0xflorent communicated with them, validated the unlocking procedure on a test version of Ethereum's mainnet, and the team itself approved the unlock transactions.
The team signed off on 41 transactions—one for each blocked holder—thus releasing nearly 1,000 ETH that was genuinely trapped. Additionally, seven holders had small enough balances to receive refunds directly without needing the workaround.
This marks the second recovery that 0xflorent has made public within eight days.
On May 24, he reported that he had returned 19.329 ETH, valued at around $40,590, to its original owners, including 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from seven expired atomic swaps in a Liquality Wallet user account that became inaccessible after the wallet ceased operations in 2024.
This recovery occurs during a period marked by numerous DeFi exploits, with April seeing hundreds of millions of dollars siphoned from various protocols, highlighted by a significant $293 million loss at Kelp DAO.
More For You
Three Sui mainnet halts in 48 hours traced to an upgrade bug by developers
By Shaurya Malwa|Edited by Sam Reynolds2 hours agoThe Sui Foundation's post-mortem published Sunday traces all three outages to interactions between a new address-balance feature shipped in the v1.72 release and the network's existing gas and consensus logic.
What to know:
- Sui’s mainnet halted three times on May 28 and 29 after a new v1.72 feature exposed an edge case in the blockchain’s gas-charging logic, according to a post-mortem from the Sui Foundation.
- The first two outages stemmed from related bugs in how mixed gas payments were handled when transactions lacked...