Security

New Gold Protocol Drained $1.9 Million via Price Oracle Manipulation

A flash loan exploit leveraged a single-source price oracle, allowing an attacker to manipulate token value and drain assets.
September 24, 20253 min

A futuristic, modular white satellite-like structure with solar panels propels a vigorous stream of frothy blue water into a cloudy, watery expanse. This central aperture serves as a symbolic protocol gateway, channeling immense data availability or liquidity flow
A close-up view presents a futuristic blue metallic device, showcasing intricate mechanical and illuminated transparent components. A prominent central spherical element, glowing with intense blue light, connects to the main structure via clear tubes, suggesting dynamic internal processes

Briefing

A recently launched DeFi staking protocol, New Gold Protocol (NGP) on BNB Chain, suffered a critical exploit on September 18, 2025, resulting in the theft of approximately $1.9 million in Ethereum. The incident, occurring merely hours after the token’s launch, exploited a fundamental flaw in the protocol’s price oracle mechanism, which relied solely on a single Uniswap liquidity pool. This vulnerability enabled an attacker to execute a flash loan attack, artificially inflate the NGP token’s price, and subsequently drain significant assets, causing an 88% crash in the NGP token value.

A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Context

Prior to this incident, the DeFi landscape has consistently faced risks from protocols relying on insecure price oracles, particularly those deriving value from low-liquidity DEX pairs. The inherent immutability of smart contracts, once deployed, often renders fund recovery impossible, underscoring the critical need for robust pre-launch security measures. This exploit highlights a recurring vulnerability class where inadequate external data sourcing creates a significant attack surface for financial manipulation.

A high-resolution, abstract rendering showcases a central, metallic lens-like mechanism surrounded by swirling, translucent blue liquid and structured conduits. This intricate core is enveloped by a thick, frothy layer of white bubbles, creating a dynamic visual contrast

Analysis

The incident’s technical mechanics involved a sophisticated price oracle manipulation attack. The attacker first accumulated NGP tokens over several hours. Subsequently, a flash loan was utilized to execute massive USDT to NGP swaps on a single Uniswap liquidity pool, artificially inflating the NGP token’s perceived value. The protocol’s smart contract, designed to determine NGP’s price directly from these DEX pair reserves, was critically flawed in this reliance.

By routing flash-loan-driven swaps through the zero address, the attacker bypassed per-user buy limits and cooldowns, enabling the large-scale manipulation necessary to profit from their pre-acquired tokens. The stolen funds, approximately 443.8 ETH, were then converted to Binance-pegged ETH, bridged to Ethereum via the Across protocol, and subsequently deposited into Tornado Cash to obfuscate the transaction trail.

A macro shot highlights a meticulously engineered component, encased within a translucent, frosted blue shell. The focal point is a gleaming metallic mechanism featuring a hexagonal securing element and a central shaft with a distinct keyway and bearing, suggesting a critical functional part within a larger system

Parameters

  • Protocol Targeted → New Gold Protocol (NGP)
  • BlockchainBNB Chain, Ethereum
  • VulnerabilityPrice Oracle Manipulation, Flash Loan Attack
  • Financial Impact → ~$1.9 Million (443.8 ETH)
  • Date of Exploit → September 18, 2025
  • Attacker’s Method → Manipulated DEX pair reserves using flash loans and exploited zero address recipient logic
  • Token Impact → NGP token price crashed 88%

The image showcases a detailed, abstract representation of interconnected mechanical segments, predominantly white and silver, encasing a luminous blue energy source. This visual metaphor powerfully illustrates the intricate mechanisms and secure protocols that underpin cryptocurrency and blockchain networks

Outlook

Immediate mitigation for similar protocols necessitates a multi-faceted approach to price oracle design, moving beyond sole reliance on single DEX pair reserves. Protocols must implement robust per-account and per-transaction limits, alongside strict whitelisting and control mechanisms for privileged recipients. This incident will likely reinforce the demand for aggressive pre-launch stress testing and independent security audits specifically designed to simulate flash-loan and oracle manipulation vectors. The rapid obfuscation of funds via mixers such as Tornado Cash underscores the ongoing challenge for forensic analysis and recovery efforts, potentially influencing future regulatory discussions on privacy tools.

The New Gold Protocol exploit serves as a stark reminder that inadequate price oracle design and insufficient pre-launch security validation remain critical systemic vulnerabilities in the DeFi ecosystem.

Signal Acquired from → blockchainreporter.net

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

reserves

Definition ∞ 'Reserves' in the cryptocurrency context typically refers to the total amount of a particular digital asset held by a specific entity, such as a stablecoin issuer, exchange, or decentralized finance (DeFi) protocol.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: