Tokenized-stock wrapper flaw let attacker borrow $400K
Edel disclosed a flash-loan exploit that inflated wGOOGLx collateral about 78x, allowing an attacker to borrow about $384,215 in USDC and other assets. Edel will absorb the bad debt and restore depositor balances.
Edel disclosed that a flash-loan attacker manipulated the wGOOGLx/GOOGLx exchange rate, inflating wGOOGLx collateral by roughly 78 times and borrowing assets including about $384,215 in USDC and wrapped positions in SPYx, QQQx, MSTRx, NVDAx and TSLAx. The protocol said it will absorb the bad debt, restore affected depositor balances one-for-one and rebuild its oracle architecture in a version two release.
Security firms traced the exploit to the protocol’s price source. The feed returned an ERC-4626-style vault conversion value directly, reading the vault’s convertToAssets() rate. An attacker can move that conversion rate by controlling the vault’s flow; the exploit used a flash loan to repeatedly supply and borrow, shifting the wGOOGLx/GOOGLx conversion rate before withdrawing real assets. The protocol’s lending market had priced the wrapped token’s exchange rate as stable, which left it exposed when the conversion rate was distorted. The incident did not involve any change in Alphabet’s share price.
Estimates of the financial impact varied. Reported figures ranged from about $204,000 to roughly $403,000, reflecting different measures such as drained funds, gross loss and net attacker profit. One analysis put attacker profit near $305,000. The differences come from how firms counted bad debt, assets withdrawn and loss after the protocol’s planned remedies.
Market trackers show tokenized equities are increasingly used onchain. One estimate places on-chain value for tokenized stocks near $1.7 billion, and more than 100 stocks and ETFs are available across multiple platforms with aggregate transaction volumes exceeding $25 billion. Several issuers and lending markets accept tokenized shares as collateral or offer wrapped versions intended for DeFi use.
Security researchers and protocol operators pointed to technical fixes and market controls recommended after the exploit. Suggested measures include separating issuer-level prices from wrapper exchange rates, building oracle paths that a single flash loan cannot move, capping how much wrapped token collateral a lending market accepts, and enforcing conservative loan-to-value limits for tokenized equities. Edel has said it will redesign its oracle path in a version two release to prevent a single flash loan from moving reported prices.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.








