White Hat Hacker Unlocks $2 Million in 2016 Smart Contract

White hat hacker Florent unlocked $2 million from a 2016 smart contract.

Nearly nine years after the failed ICO of the HongCoin project, a white hat hacker known as Florent unlocked 1,003.62 ETH (approximately $2 million).

First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.

The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7

— 0xflorent.eth (@0xFlorent_) May 31, 2026

The funds were stuck in the HONG smart contract, deployed on August 29, 2016. The sale did not reach its minimum target, and Ethereum was supposed to be automatically returned to investors. However, due to a critical error in the refund function, the coins were frozen.

The mechanism rejected user requests if their balance exceeded the value of the global counter.

Florent discovered a vulnerability in the administrative function of the contract, written in Solidity v0.3.5. Older versions of the language lacked protection against integer overflow. The hacker found that a specific function call allows the balance of an address to be reset, after which the function check passes successfully.

Since access to the admin function was restricted by the HongCoin team’s multisig, the researcher contacted the developers. Together, they conducted 41 transactions to unlock the addresses of 48 investors.

Two investors have already withdrawn 96.5 ETH and voluntarily sent a reward to the hacker.

HongCoin was positioned as “venture capital for everyone.” The ICO lasted from August 29 to October 28, 2016. All 1,003.62 ETH were sent to this contract and remained there until now.

Florent has previously helped recover access to assets in other outdated protocols, including a failed 2018 ICO and Liquality atomic swaps. He says he uses proprietary software and AI tools for initial code analysis to find vulnerable contracts with balances exceeding 100 ETH.

In April, a record number of hacks in the crypto industry was recorded for a month. As a result of more than 20 incidents, the damage amounted to $651 million.