Skip to main content
Security

New Gold Protocol Drained $1.9 Million via Price Oracle Manipulation

A flash loan exploit leveraged a single-source price oracle, allowing an attacker to manipulate token value and drain assets.
September 24, 20253 min

Angular, reflective metallic structures resembling advanced computing hardware interlock with vibrant blue crystalline formations encrusted with a white, frosty substance. A luminous, textured sphere, evocative of a moon, floats centrally amidst these elements
A glowing, translucent white sphere is centrally positioned within a rugged, dark blue, textured formation. The blue structure features lighter, granular blue accents, creating a complex, organic appearance against a blurred grey background

Briefing

A recently launched DeFi staking protocol, New Gold Protocol (NGP) on BNB Chain, suffered a critical exploit on September 18, 2025, resulting in the theft of approximately $1.9 million in Ethereum. The incident, occurring merely hours after the token’s launch, exploited a fundamental flaw in the protocol’s price oracle mechanism, which relied solely on a single Uniswap liquidity pool. This vulnerability enabled an attacker to execute a flash loan attack, artificially inflate the NGP token’s price, and subsequently drain significant assets, causing an 88% crash in the NGP token value.

A modern, white and metallic cylindrical apparatus lies partially submerged in dark blue, rippling water, actively discharging a large volume of white, powdery substance. The substance forms a significant pile both emerging from the device and spreading across the water's surface

Context

Prior to this incident, the DeFi landscape has consistently faced risks from protocols relying on insecure price oracles, particularly those deriving value from low-liquidity DEX pairs. The inherent immutability of smart contracts, once deployed, often renders fund recovery impossible, underscoring the critical need for robust pre-launch security measures. This exploit highlights a recurring vulnerability class where inadequate external data sourcing creates a significant attack surface for financial manipulation.

The detailed composition showcases an open mechanical watch movement, its metallic components and precise gear train clearly visible. A substantial blue structure, adorned with intricate circuit-like patterns, connects to the watch, with a metallic arm extending into its core

Analysis

The incident’s technical mechanics involved a sophisticated price oracle manipulation attack. The attacker first accumulated NGP tokens over several hours. Subsequently, a flash loan was utilized to execute massive USDT to NGP swaps on a single Uniswap liquidity pool, artificially inflating the NGP token’s perceived value. The protocol’s smart contract, designed to determine NGP’s price directly from these DEX pair reserves, was critically flawed in this reliance.

By routing flash-loan-driven swaps through the zero address, the attacker bypassed per-user buy limits and cooldowns, enabling the large-scale manipulation necessary to profit from their pre-acquired tokens. The stolen funds, approximately 443.8 ETH, were then converted to Binance-pegged ETH, bridged to Ethereum via the Across protocol, and subsequently deposited into Tornado Cash to obfuscate the transaction trail.

A crystal-clear sphere reveals a miniature, complex circuit board architecture, complete with detailed blue and silver components. At its core, a smooth white sphere rests, symbolizing a foundational element or a single block within a chain

Parameters

  • Protocol Targeted ∞ New Gold Protocol (NGP)
  • BlockchainBNB Chain, Ethereum
  • VulnerabilityPrice Oracle Manipulation, Flash Loan Attack
  • Financial Impact ∞ ~$1.9 Million (443.8 ETH)
  • Date of Exploit ∞ September 18, 2025
  • Attacker’s Method ∞ Manipulated DEX pair reserves using flash loans and exploited zero address recipient logic
  • Token Impact ∞ NGP token price crashed 88%

A prominent spherical object, textured like the moon with visible craters, is centrally positioned, appearing to push through a dense, intricate formation of blue and grey geometric shards. These angular, reflective structures create a sense of depth and dynamic movement, framing the emerging sphere

Outlook

Immediate mitigation for similar protocols necessitates a multi-faceted approach to price oracle design, moving beyond sole reliance on single DEX pair reserves. Protocols must implement robust per-account and per-transaction limits, alongside strict whitelisting and control mechanisms for privileged recipients. This incident will likely reinforce the demand for aggressive pre-launch stress testing and independent security audits specifically designed to simulate flash-loan and oracle manipulation vectors. The rapid obfuscation of funds via mixers such as Tornado Cash underscores the ongoing challenge for forensic analysis and recovery efforts, potentially influencing future regulatory discussions on privacy tools.

The New Gold Protocol exploit serves as a stark reminder that inadequate price oracle design and insufficient pre-launch security validation remain critical systemic vulnerabilities in the DeFi ecosystem.

Signal Acquired from ∞ blockchainreporter.net

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

reserves

Definition ∞ 'Reserves' in the cryptocurrency context typically refers to the total amount of a particular digital asset held by a specific entity, such as a stablecoin issuer, exchange, or decentralized finance (DeFi) protocol.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: