A whitehat developer has helped recover about $2 million in ether from a failed Ethereum ICO contract that had trapped investor funds for nine years. The recovery involved HongCoin, a 2016 token sale that missed its funding goal but failed to return all investor funds due to a smart contract bug.
The security researcher, known as 0xflorent, worked with HongCoin’s multisig wallet holders to unlock 1,003.62 ETH. The funds now make 48 original investors eligible to reclaim their ether.
HongCoin raised funds through an Ethereum ICO in 2016, during the early years of token sales. The project failed to meet its funding goal and the smart contract was designed to refund investors. However, a bug in the refund logic blocked larger withdrawals and left funds locked for years.
According to 0xflorent, the contract used the wrong balance check after years of partial refunds. The refund function rejected holders whose balances were above a global counter that had fallen to 356. As a result, some investors could only refund up to 3.56 ETH, even when they had more funds locked.
0xflorent found that an admin function in the contract still allowed a path to correct the issue. That function lacked integer-overflow protections, which later became standard in Solidity. By using a specific input, the contract could reset a blocked holder’s balance to one and allow the refund process to continue.
However, the recovery did not happen through a unilateral exploit. The function required approval from HongCoin’s multisig wallet. 0xflorent contacted the team, tested the process on an Ethereum mainnet fork, and the team later signed the required transactions.
HongCoin’s team signed 41 unlock transactions for investors who could not withdraw through the normal refund process. Another seven holders had small enough balances to claim funds directly without using the workaround. In total, the process freed about 1,003.62 ETH that had remained stuck since 2016.
Two investors had already claimed a combined 96.5 ETH after the unlock, according to 0xflorent’s public update. The amount was worth about $193,000 at the time of the report. On-chain records also showed the contract activity and unlocked wallet movements linked to the recovery.
Notably, this was the second recovery 0xflorent had shared within eight days. On May 24, he said he had returned 19.329 ETH to the original owners. That amount included 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from expired atomic swaps linked to a Liquality Wallet user account.
Meanwhile, the HongCoin case shows how old smart contracts can still hold recoverable funds when access paths remain available. Yet the process depends on specific contract conditions, reachable wallet holders, and careful testing before any live transaction is signed.
The recovery also comes as DeFi security remains under pressure. Reports cited more than $840 million in losses during the first five months of 2026. April alone accounted for more than $600 million in stolen funds, including a roughly $293 million exploit linked to Kelp DAO.
Experts raised doubts over whether similar recoveries can happen often. Andy Yajin Zhou, associate professor at the Chinese University of Hong Kong and co-founder of BlockSec, told Decrypt that recoveries like these remain ‘unique.’ He added, “Unfortunately, we cannot assume that old Ethereum contracts generally have such flaws.”
Zhou also said some funds remain locked with ‘lost keys or irreversible contract logic.’ That means old contracts may not always offer a safe or legal route for recovery. In many cases, the original teams may no longer be active, or the contract may not include any working admin function.
Dominick John, an analyst at Zeus Research, told Decrypt that the case shows some funds written off as ‘lost’ may not be beyond reach. However, the HongCoin recovery depended on a rare mix of technical access, team coordination, and a flaw that allowed funds to move without taking them from rightful owners.