Reproduced Exploit
Edel xStock — ERC4626 convertToAssets Donation Inflates Collateral and Drains Reserves
1. Edel markets treat wrapped xStock tokens (e.g. wGOOGLx) as collateral. Pricing goes through an AaveOracle path that ultimately depends on the wrapper's live convertToAssets() rate.
Loss
204,215.57 USDC + multi-asset xStock wrappers (wSPYx/wQQQx/wMSTRx/wNVDAx/wTSLAx)
Chain
Ethereum
Category
defi
Date
Jul 2026
EVM Playground
Source-level debugger — step opcodes and Solidity in sync
The attack is replayed in an in-browser EVM preloaded with the exact dumped fork state. Step by Solidity line or by opcode across all call depths; the source line, Stack, Memory, Storage, Transient storage and Return value stay in sync. Click any opcode or source line to jump. No backend, no live RPC.
Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2026-07-edel-xstock_exp in the
evm-hack-registrymirror. Upstream DeFiHackLabs PoC:src/test/…/edel-xstock_exp.sol.
Vulnerability classes: vuln/defi/donation-attack · vuln/oracle/price-manipulation · vuln/defi/flash-loan-attack
Reproduction: offline Foundry project at this folder. Trace: output.txt. Sources: AaveOracle, WrappedBackedToken (wGOOGLx), pool proxy 0x3EEeB3….
Key info#
| Loss | 204,215.57 USDC + multi-asset xStock wrappers (wSPYx/wQQQx/wMSTRx/wNVDAx/wTSLAx) |
| Vulnerable surface | Edel lending pool (Aave-style) + oracle that values wGOOGLx via ERC4626 convertToAssets() |
| Oracle | 0xBd497eE429D9D3E46446339286271b3714a83B29 |
| wGOOGLx | 0x1630F08370917E79df0B7572395a5e907508bBBc |
| Attacker | 0x58428161bB55c14A413945f06cbDeC157F411C76 |
| Attack tx | 0xe2320086b2815d21b0927839bd0e306466c29a68d38d5361e99dd21ec5472612 |
| Chain / block | Ethereum / 25,434,061 / July 2026 |
| Bug class | Collateral oracle trusts mutable ERC4626 exchange rate; direct GOOGLx donation into the wrapper inflates convertToAssets() and thus borrow power in the same transaction |
TL;DR#
-
Edel markets treat wrapped xStock tokens (e.g. wGOOGLx) as collateral. Pricing goes through an AaveOracle path that ultimately depends on the wrapper's live
convertToAssets()rate. -
wGOOGLx is a standard ERC4626-style vault over GOOGLx. Donating GOOGLx to the vault increases assets without minting shares, so
convertToAssets(shares)jumps. -
Attack:
- Morpho-flash 180,000 USDC, supply as USDC collateral on Edel.
- Loop 40×: borrow all wGOOGLx reserve → re-supply via a helper (recursive leverage of the wrapper reserve).
- Final borrow of remaining wGOOGLx →
redeemto GOOGLx → donate GOOGLx back to wGOOGLx. - Helper now has massively inflated collateral value → borrow remaining USDC + all other wrapped xStock reserves → repay Morpho.
-
Reproduced balances after attack (output.txt):
- USDC: 204,215.572188
- wSPYx: 122.20, wQQQx: 62.97, wMSTRx: 293.12, wNVDAx: 99.85, wTSLAx: 37.59
Root cause#
oracle price(wGOOGLx) ∝ convertToAssets(1 share)
convertToAssets ← totalAssets / totalSupply
totalAssets includes unsolicited GOOGLx transfers ← donation inflates price
No virtual-offset / totalAssets accounting separation, no max rate change per block, no TWAP on the wrapper rate.
Attack flow#
Recommendation#
- Price ERC4626 collateral with a manipulation-resistant rate (internal accounting, virtual shares/assets, or rate capped per block / TWAP).
- Do not use raw
convertToAssetsafter a same-block donation can move it. - Limit recursive borrow/re-supply loops against a single reserve (utilization caps, single-block borrow caps).
References#
- Attack tx: https://etherscan.io/tx/0xe2320086b2815d21b0927839bd0e306466c29a68d38d5361e99dd21ec5472612
- Analysis: https://x.com/TenArmorAlert/status/2072130807356129726
Sources & further analysis#
Reproductions & code
- Standalone PoC + full trace: 2026-07-edel-xstock_exp (evm-hack-registry mirror).
- Upstream DeFiHackLabs PoC:
edel-xstock_exp.sol. - Attack transaction: view on explorer.
Alerts & third-party analyses
- Original alert / thread: post on X.
- DeFiHackLabs incident explorer: search "Edel xStock".
- Web3Sec X hacked database: search.
- Rekt leaderboard: search.
- Solodit incident search: search.
These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.