Edel Finance Exploit: On-Chain Data Shows How a Near-Empty Wrapper Broke a Tokenized-Stock Lender
— By Tony Rabbit in News

A wrapped Alphabet-stock token with zero on-chain market was inflated about 78x to drain Edel Finance for roughly $403,000. We traced the exploit transaction and pulled the collateral data that explains why it worked.
On July 1, 2026, an attacker drained Edel Finance, a DeFi lending market built for tokenized equities, of roughly $403,000. The mechanism was unusual: the price oracle was not compromised. Chainlink reported Alphabet's real share price correctly the entire time. The weak point was the collateral itself, a wrapped tokenized-stock token that, according to DEXTools on-chain data, has almost no market behind it. We pulled the exploit transaction and the token data to show exactly how thin the collateral was and why that made the attack possible.
The incident at a glance
- Protocol: Edel Finance (Edel Lending V1), an Ethereum lending market for tokenized equities (xStocks).
- When: July 1, 2026, exploit transaction confirmed at 00:24:47 UTC in block 25434062.
- How: a flash loan funded repeated deposits into a wrapped-token vault, inflating the vault's internal exchange rate so the collateral was priced about 78x too high.
- Not an oracle-feed hack: the Chainlink price for Alphabet stayed correct at roughly $357 throughout.
- Aftermath: flagged in real time by Blockaid, funds routed to Tornado Cash, and Edel paused all V1 contracts.
What the exploit transaction actually shows
We opened the exploit transaction on Ethereum mainnet and decoded it independently. It is a single contract-creation transaction sent from a freshly funded wallet (0x5842...11C76), and it was that wallet's very first transaction. Inside it, the receipt logs 502 events, of which 228 are ERC-20 token transfers touching 17 distinct token contracts. That single transaction is the entire attack.
The transfers map cleanly onto the mechanism. A stablecoin flash loan of about 180,000 USDC (reported as sourced from Morpho) provided the working capital. The attacker then cycled tokenized Alphabet stock (GOOGLx) in and out of the wrapped-token vault that issues wGOOGLx, the token Edel accepts as collateral. Crucially, the transaction does not only borrow USDC. It opens variable-debt positions across every reserve in the market at once: we can see the protocol's internal debt tokens for wGOOGLx, wSPYx, wQQQx, wMSTRx, wNVDAx and USDC all minted inside the same transaction. In plain terms, the attacker used the inflated collateral to borrow out the entire lending pool, not just the dollar reserve.
Token roles decoded from the exploit transaction receipt on Ethereum mainnet. The wallet was later assigned an EIP-7702 delegation, a detail consistent with a purpose-built, disposable attack account.
The mechanism: a vault rate, not a price feed
The subtle part is why an accurate Chainlink price did not protect the protocol. Edel valued wGOOGLx collateral by reading the wrapped-token vault's own conversion rate, the amount of underlying GOOGLx each wGOOGLx share is worth. That rate is exposed through a standard tokenized-vault interface, and it can be pushed upward by donating assets straight into the vault. According to Edel and security firm SlowMist, the attacker repeatedly redeemed and donated GOOGLx to lift the vault's assets-per-share ratio from roughly 6 to nearly 79. Edel's lending contract read that inflated rate as gospel, so a small amount of wGOOGLx was suddenly worth about 78 times what it should have been, roughly a 7,700% over-valuation. The oracle was telling the truth about the stock; the protocol was asking the wrong question.
This is a close cousin of classic price manipulation, and it belongs in the same family as the attacks we cover in our explainer on oracle manipulation in DeFi and the ERC-4626 donation vector detailed in our flash-loan attack guide. The root cause named by analysts was a valuation path with no rate limits and no donation protection.
The DEXTools data: why the collateral was fragile by construction
This is where the on-chain data turns a wire story into a structural one. We pulled DEXTools token data for the assets at the center of the attack. The collateral token itself, wGOOGLx, is effectively a phantom asset: DEXTools shows it with 0 holders, a total supply of about 0.12 tokens, no market cap and a DEXT Score of 0. It has no independent market at all, yet it was being used to back real loans.
The underlying tokenized stock, GOOGLx, looks healthier on paper but tells the same story underneath. It carries a market capitalization of about $25.7 million, but only 350 holders, and its DEXT Score breaks down to a liquidity, or pool, sub-score of just 1 out of 100. A supposedly $25 million asset with a pool score of 1 is a token that barely trades on-chain. That thinness is the whole point: when an asset has almost no real market, its internal wrapper rate is cheap to move.
Current DEXTools snapshot of Edel's wrapped-xStock collateral set. Holder counts are small across the board, and wGOOGLx, the token the attacker chose to inflate, was the emptiest of them all. Values are a live snapshot and will change.
Read together, the numbers explain the target selection. Every wrapped reserve in this market was small, but wGOOGLx was the thinnest, with zero holders and a negligible supply. That is precisely the token you would pick if your plan is to move a vault's exchange rate with a handful of donations. You can run the same checks on any token yourself with our Token Safety Checker, and our explainer on the DEXT Score covers what the liquidity sub-score means.
How much was actually lost
The headline figure is about $403,000, the bad-debt number confirmed by the Edel team and cited by most outlets, and it lines up with DeFiLlama data showing the market's total value locked collapsing from roughly $630,000 to around $947, described as its largest net outflow on record. It is worth being precise, because security firms sized the loss differently: initial estimates ranged from roughly $204,000 (CertiK) to about $353,000 (Cyvers) to the ~$403,000 loss and ~$305,000 attacker profit reported by GoPlus. The gap is the usual one between funds drained, residual bad debt and attacker net profit. We treat ~$403,000 as the protocol loss and the rest as a range, not a single settled number.
Response and what it means for tokenized-equity DeFi
Edel paused all V1 contracts, which remain offline, and said it would absorb the bad debt and restore depositor balances one-to-one. The team offered the attacker a white-hat settlement, though funds had already been routed to Tornado Cash, and said a redesigned V2 with a new valuation system is in deployment. The immediate lesson is narrow and technical: never derive a collateral price from a wrapper rate that anyone can push around by donating into the vault.
The broader lesson is the one the DEXTools data makes hard to ignore. Tokenized stocks are one of 2026's fastest-growing narratives, from Robinhood's own L2 to Coinbase's product push. But an asset can have a real-world price and still have almost no on-chain market, and thin markets are fragile collateral. We made the same point about liquidity reality in our look at xStocks trading on BNB Chain. Before a tokenized-equity token is trusted as collateral, or as anything, the on-chain question is not only what the stock is worth, but whether the token has a market at all. Checking that a pool cannot be trivially manipulated is the same discipline as verifying a liquidity lock before trusting it.
Methodology and disclaimer: incident facts are drawn from Edel Finance's public statements and reporting by CoinDesk, AMBCrypto, CryptoSlate and others, with security analysis attributed to Blockaid, SlowMist, GoPlus, Cyvers and CertiK. The transaction trace (block 25434062, 228 ERC-20 transfers, 17 token contracts) was decoded independently from Ethereum mainnet, and the token holder, market-cap and DEXT Score figures are a live DEXTools snapshot taken shortly after the event; all on-chain values change over time. Loss estimates vary by firm and are presented as a range. This article is for information only and is not financial advice.