Skip to content
Est. MMXXVIVol. VI · № 304RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 303Oracle Manipulation

Edel Finance xStock Exchange-Rate Manipulation

A flash-loan-funded attacker inflated Edel Finance's internal wGOOGLx exchange rate ~78x, borrowing against phantom tokenized-Google-stock collateral to leave about $403,000 in bad debt.

Date
Chain(s)
Status
Funds Stolen

On July 1, 2026, Edel Finance — a DeFi lending protocol for tokenized equities — was exploited for approximately $403,000 after an attacker manipulated the exchange rate of its wrapped tokenized-Google-stock collateral, inflating it roughly 78× (about 7,700%) to borrow real assets against phantom value.

What happened

Edel lets users borrow against xStocks — tokenized equities such as GOOGLx, a token tracking Alphabet (Google) shares. As collateral, borrowers post wGOOGLx, a wrapped form of GOOGLx held in an ERC-4626 vault. Edel derived the collateral's value by multiplying a Chainlink spot price for GOOGLx by an internal exchange rate governing the GOOGLx ↔ wGOOGLx conversion (the vault's assets-per-share ratio).

Crucially, the Chainlink feed was correct — it accurately reported Alphabet's real share price in USD. The flaw lay entirely in that internal wrapper exchange rate. The attacker took a 180,000 USDC flash loan from Morpho Blue, then executed repeated borrow-and-redeem cycles, redeeming wGOOGLx and donating GOOGLx back into the ERC-4626 vault. Each donation lifted the vault's assets-per-share ratio — from roughly 6 to nearly 79 — so wGOOGLx was suddenly valued at about 78× its true worth. Against that inflated collateral the attacker borrowed out the protocol's real reserves, leaving roughly $403,000 in bad debt, and moved the proceeds toward Tornado Cash.

Aftermath

Edel said it detected and contained the exploit the same day and paused all v1 contracts. The team pledged that no depositor would bear a loss — it would absorb the bad debt and restore affected balances 1:1 — offered the attacker a white-hat settlement, and said it was coordinating with exchanges. Edel also announced a v2 with a redesigned oracle architecture meant to prevent this class of exchange-rate manipulation. Because the stolen funds were routed toward Tornado Cash rather than returned, the incident is classified as a loss covered by the team rather than a recovery.

Why it matters

Tokenized real-world-asset (RWA) collateral introduces a second price surface — the wrapper's exchange rate — that a correct external oracle does not protect. This is the same ERC-4626 share-price / donation-inflation primitive behind Resupply, where a crvUSD donation inflated a lending vault's share price to mint an outsized loan, and it echoes the redemption-math flaws that drained Thetanuts. As equities move on-chain as collateral, the lesson is blunt: pricing must be validated end to end — every conversion from oracle to collateral value is attackable, and a pristine Chainlink feed is worthless if the internal exchange rate feeding off it can be donated into orbit.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2026/07/01/tokenized-google-stock-inflated-7-700-in-rare-defi-lending-exploit
  2. [02]cryptotimes.iohttps://www.cryptotimes.io/2026/07/01/edel-finance-hacked-403k-stolen-as-attacker-moves-funds-to-tornado-cash/
  3. [03]ambcrypto.comhttps://ambcrypto.com/edel-finance-loses-403k-as-flash-loan-oracle-exploit-hits-xstock-lending-reserves/
  4. [04]crypto-economy.comhttps://crypto-economy.com/attacker-manipulates-tokenized-google-shares-to-drain-defi-lending-protocol/
  5. [05]x.comhttps://x.com/edeldotfinance/status/2072154468058022033

Related filings