Skip to content

exploit

Edel Finance halts V1 after wGOOGLx wrapping bug drains $403K to Tornado Cash

A flash-loan-assisted exchange-rate manipulation between GOOGLx and wGOOGLx on Edel's xStock lending market inflated collateral 78×, opening ~$403K of bad debt routed through Tornado Cash.

by 5 min read

Edel Finance paused its V1 lending protocol on July 1, 2026 after an attacker used a flash loan to manipulate the internal exchange rate between GOOGLx, a wrapped tokenized-Alphabet share issued as part of the xStock line, and its rehypothecated form wGOOGLx. The manipulated ratio inflated the reported value of wGOOGLx collateral by roughly 78× — about 7,700% above its correct price — letting the attacker borrow real assets against phantom collateral. The primary source is Edel's own @edeldotfinance statement announcing the pause and the whitehat window; the on-chain evidence and attacker routing to Tornado Cash were surfaced by security firm Blockaid, whose findings were relayed by CoinDesk and AMBCrypto.

Net loss to the reserves: ~$403,000 in bad debt. Edel says depositors will be made whole from its own capital.

What happened

Edel Finance runs a lending market on tokenized equities issued as xStocks. The exploited pair — GOOGLx / wGOOGLx — is the deposit token for Alphabet-tracking shares and the wrapped, interest-bearing variant users pledge as collateral. The exploit was not a Chainlink feed compromise: multiple reports emphasize the Chainlink oracles correctly reported Alphabet's on-market share price throughout. The bug lived one layer deeper, in the accounting logic Edel used to convert between GOOGLx and its wrapped form.

The attack path per the reporting:

  1. Take a flash loan on Ethereum sized to move Edel's internal wrap/unwrap ratio.
  2. Push the ratio so 1 wGOOGLx redeems 78 GOOGLx — instead of the intended ~1:1 with accrued yield.
  3. Deposit the mispriced wGOOGLx as collateral. Because Edel's risk engine values collateral through the wrap rate rather than the market feed, the borrow limit follows the 78× inflation.
  4. Borrow the real stablecoin and blue-chip reserves against the phantom collateral. Walk. Repay the flash loan.
  5. Route the drained funds through Tornado Cash, per Blockaid's on-chain tracking.

The Chainlink feed did its job. The vulnerability was in how Edel translated the feed's answer into a collateral value for the wrapped token.

Numbers

- Bad debt created                : ~$403,000
- Collateral price inflation      : ~78× (~7,700%)
- Chain                           : Ethereum
- TVL immediately before exploit  : ~$630,000
- TVL after                       : ~$947
- Net outflow                     : ~$630,000 (drained + panic withdrawals)
- Loss borne by                   : Edel Finance (protocol capital, per team)
- Funds destination               : Tornado Cash (per Blockaid)
- Primary post-mortem             : forthcoming (Edel V2 announcement)

The gap between the ~$403K bad-debt figure and the ~$630K net TVL outflow is the panic exit by depositors that followed the exploit; the two numbers measure different things and both are in the reporting.

Skeptical attribution

No named actor. The exploiter EOA received the funds and, per Blockaid, moved them to Tornado Cash — the same laundering pattern used across dozens of DeFi drains this year, which by itself carries no attribution signal. There is no FBI, OFAC, or court filing naming the operator. Any "Lazarus" or specific-group tag on this exploit at press time is speculation. Read the address as an anonymous exchange-rate manipulator until on-chain analytics or a regulator produce sourced attribution.

Edel's response

Per the team's public statement, Edel:

  • Paused all V1 lending markets after detection on July 1.
  • Absorbs the ~$403K loss directly; depositor balances will be restored 1:1 once the process completes.
  • Opened a whitehat settlement window for the attacker to return funds in exchange for a bounty, and is coordinating with exchanges to flag the destination addresses.
  • Announced a redesigned V2 oracle architecture that prices wrapped positions off the underlying market feed rather than an internal exchange rate — the specific class of manipulation used here.
  • Committed to publishing a full technical post-mortem after investigation.

What to watch

  1. Whether the whitehat window closes with a return. Similar bounty offers have worked (2023 Euler, 2024 Radiant partial) and failed (most exploits routed via Tornado Cash). The next 72 hours will tell.
  2. The V2 oracle spec. Whether Edel replaces internal wrap-rate accounting with a full off-chain redemption oracle, and whether the wrap-rate manipulation gap is closed for other synthetic-yield collateral types (not just GOOGLx) is the material design question.
  3. xStock issuer response. GOOGLx and the xStock line are minted by an issuer separate from Edel; whether that issuer changes redemption mechanics, and whether other lending markets that list xStocks (Kamino, Marginfi, and others in the Solana-side ecosystem) audit their own wrap-rate treatment.
  4. Any wallet clustering by Chainalysis or Arkham. Post-Tornado-Cash tracing on this size of drain is only ever as good as the labelling firms' pipelines; a labelled hit within a week would materially change the recovery odds.

Context — wrap-rate manipulation is a recurring lending-market class bug

Wrapping bugs are not new. Every few months a lending market ships with collateral valued through an internal wrap/redeem curve rather than through the underlying market feed, and every few months a flash-loan operator finds the exchange-rate lever that lets them borrow real assets against inflated wrapped positions. The Yearn v1 accounting exploits in 2021 and multiple copycat vulnerabilities on smaller lending forks in 2024 and 2025 share the same skeleton: the market feed is right, the wrap-rate math is wrong, and the risk engine indexes collateral off the wrong number. As tokenized equities and yield-bearing wrappers proliferate — xStocks are one strand of a broader wave — this class of bug becomes more common, not less. Edel's V2 answer, pricing wrapped collateral through the underlying market feed, is the industry-standard fix; the story is that a July 2026 xStock lending market shipped without it.

Sources:

Related stories