Skip to main content
Security

New Gold Protocol Drained $1.9 Million via Price Oracle Manipulation

A flash loan exploit leveraged a single-source price oracle, allowing an attacker to manipulate token value and drain assets.
September 24, 20253 min

A futuristic, intricate mechanical device is presented, featuring a detailed central circular mechanism surrounded by angular blue and silver housing. Visible gold and silver gears are precisely arranged within the core, suggesting complex internal operations
A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Briefing

A recently launched DeFi staking protocol, New Gold Protocol (NGP) on BNB Chain, suffered a critical exploit on September 18, 2025, resulting in the theft of approximately $1.9 million in Ethereum. The incident, occurring merely hours after the token’s launch, exploited a fundamental flaw in the protocol’s price oracle mechanism, which relied solely on a single Uniswap liquidity pool. This vulnerability enabled an attacker to execute a flash loan attack, artificially inflate the NGP token’s price, and subsequently drain significant assets, causing an 88% crash in the NGP token value.

A multifaceted, crystalline structure radiates outwards from a central, spherical core. The core features concentric rings and a smooth, white central orb, encased in transparent material revealing internal mechanisms

Context

Prior to this incident, the DeFi landscape has consistently faced risks from protocols relying on insecure price oracles, particularly those deriving value from low-liquidity DEX pairs. The inherent immutability of smart contracts, once deployed, often renders fund recovery impossible, underscoring the critical need for robust pre-launch security measures. This exploit highlights a recurring vulnerability class where inadequate external data sourcing creates a significant attack surface for financial manipulation.

A complex, abstract structure of clear, reflective material features intertwined and layered forms, surrounding a vibrant blue, spherical core. Light reflects and refracts across its surfaces, creating a sense of depth and transparency

Analysis

The incident’s technical mechanics involved a sophisticated price oracle manipulation attack. The attacker first accumulated NGP tokens over several hours. Subsequently, a flash loan was utilized to execute massive USDT to NGP swaps on a single Uniswap liquidity pool, artificially inflating the NGP token’s perceived value. The protocol’s smart contract, designed to determine NGP’s price directly from these DEX pair reserves, was critically flawed in this reliance.

By routing flash-loan-driven swaps through the zero address, the attacker bypassed per-user buy limits and cooldowns, enabling the large-scale manipulation necessary to profit from their pre-acquired tokens. The stolen funds, approximately 443.8 ETH, were then converted to Binance-pegged ETH, bridged to Ethereum via the Across protocol, and subsequently deposited into Tornado Cash to obfuscate the transaction trail.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Parameters

  • Protocol Targeted ∞ New Gold Protocol (NGP)
  • BlockchainBNB Chain, Ethereum
  • VulnerabilityPrice Oracle Manipulation, Flash Loan Attack
  • Financial Impact ∞ ~$1.9 Million (443.8 ETH)
  • Date of Exploit ∞ September 18, 2025
  • Attacker’s Method ∞ Manipulated DEX pair reserves using flash loans and exploited zero address recipient logic
  • Token Impact ∞ NGP token price crashed 88%

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Outlook

Immediate mitigation for similar protocols necessitates a multi-faceted approach to price oracle design, moving beyond sole reliance on single DEX pair reserves. Protocols must implement robust per-account and per-transaction limits, alongside strict whitelisting and control mechanisms for privileged recipients. This incident will likely reinforce the demand for aggressive pre-launch stress testing and independent security audits specifically designed to simulate flash-loan and oracle manipulation vectors. The rapid obfuscation of funds via mixers such as Tornado Cash underscores the ongoing challenge for forensic analysis and recovery efforts, potentially influencing future regulatory discussions on privacy tools.

The New Gold Protocol exploit serves as a stark reminder that inadequate price oracle design and insufficient pre-launch security validation remain critical systemic vulnerabilities in the DeFi ecosystem.

Signal Acquired from ∞ blockchainreporter.net

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

reserves

Definition ∞ 'Reserves' in the cryptocurrency context typically refers to the total amount of a particular digital asset held by a specific entity, such as a stablecoin issuer, exchange, or decentralized finance (DeFi) protocol.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: