A white-hat researcher extracted 1,003.62 ETH, roughly $2 million at current prices, from a 2016 ICO smart contract that had held the funds inaccessible for nine years. The exploit enables 48 original investors to reclaim capital that’s been locked since the ICO era’s peak, when hundreds of projects raised money and vanished or failed to deliver functional refund mechanisms.
Florent, the researcher behind the recovery, announced the unlock yesterday, calling it “the first white-hat exploit on Ethereum.” The contract in question belonged to HongCoin, a project that raised money in 2016 and never returned investor funds through normal channels. The design flaw or oversight that trapped the ETH wasn’t disclosed in detail, but the researcher’s intervention bypassed whatever logic kept the refund function from executing.
Nine Years, No Exit
ICO contracts from 2016 weren’t known for defensive programming. Many lacked fail-safes, multisig controls, or clear refund paths if a project collapsed. HongCoin appears to have been one of them. The 48 investors who sent ETH into the contract, when ETH itself was worth a fraction of today’s price, had no recourse until now. Whether they even knew the funds were still on-chain is unclear, but the recovery means they can pull out capital that’s appreciated dramatically over nearly a decade.
The timing is notable. White-hat work this month has drawn sharp criticism after another researcher pointed out the risk-reward imbalance in responsible disclosure. One tweet contrasted this week’s $5.4 million Gravity Bridge exploit, where the attacker laundered a portion and still holds over $4.2 million in ETH, with the reality that “no white hat won even $100k this week.” Researchers spend weeks on proofs-of-concept, the argument goes, only to get lowballed or ghosted while black hats walk away with eight figures.
Incentive Structure Under Scrutiny
The Gravity Bridge drain happened just a day before Florent’s announcement. The juxtaposition highlights the lopsided economics: malicious actors extract millions with impunity, white hats negotiate for a fraction of the saved capital, and protocols often close bug reports without payment. The researcher who called out the disparity asked whether the system pushes good-faith hackers “the other way.”
Florent’s recovery doesn’t appear to have involved a traditional bug bounty. Whether the 48 investors or any residual HongCoin entity compensated the work is unknown. What’s certain is that the ETH is now claimable, and the contract that held it for nearly a decade no longer does. For a cohort of early Ethereum participants, it’s an unexpected payday from an investment they likely wrote off years ago.
