Skip to main content
Security

New Gold Protocol Drained by Flash Loan Oracle Manipulation

A single-source price oracle vulnerability enabled a flash loan attack, compromising $2 million in assets through price manipulation.
September 21, 20253 min

The image showcases a metallic, lens-shaped core object centrally positioned, enveloped by an intricate, glowing white network of interconnected lines and dots. This mesh structure interacts with a fluid, crystalline blue substance that appears to emanate from or surround the core, all set against a gradient grey-blue background
The image displays a complex abstract structure composed of reflective metallic and transparent glass-like elements. Vibrant blue and soft white cloud-like formations emanate and flow through its geometric openings and channels, with spherical objects integrated within the dynamic masses

Briefing

The New Gold Protocol (NGP) on the BNB Chain suffered a sophisticated exploit on September 18, 2025, resulting in the loss of nearly $2 million in digital assets. The incident leveraged a critical vulnerability within NGP’s getPrice() function, which relied on a singular Uniswap V2 liquidity pool for token valuation. This dependency allowed an attacker to execute a flash loan, manipulate the token’s perceived price, and subsequently drain the protocol’s liquidity pool, with stolen funds routed through Tornado Cash to obscure traceability.

A polished metallic cylindrical component, featuring a dark nozzle and a delicate golden wire, precisely interacts with a vibrant blue, translucent fluid. The fluid appears to be actively channeled and shaped by the mechanism, creating a dynamic visual of flow and processing

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks associated with oracle manipulation and flash loan attacks, particularly in protocols that depend on single-source price feeds. This attack vector exploits the inherent trust placed in external data sources or simplified pricing mechanisms, creating an exploitable surface where temporary market imbalances can be weaponized. The prevailing security posture often underestimates the atomic transaction capabilities of flash loans to exploit such design flaws.

A dark, rectangular processing unit, adorned with a distinctive Ethereum-like logo on its central chip and surrounded by intricate gold-plated pins, is depicted. This advanced hardware is partially encased in a translucent, icy blue substance, featuring small luminous particles and condensation, suggesting a state of extreme cooling

Analysis

The attack initiated with a flash loan, allowing the threat actor to temporarily acquire a substantial volume of tokens without upfront capital. This capital was then used to manipulate the mainPair pool, artificially inflating the USDT reserve while simultaneously depleting NGP tokens. Consequently, NGP’s getPrice() function, relying solely on this manipulated pool, reported a significantly undervalued token price. The attacker then exploited this distorted valuation to bypass the protocol’s transaction limits, purchasing a large quantity of NGP tokens at a deeply discounted, manipulated price, thereby draining the liquidity.

A blue, segmented, chain-like structure is prominently displayed across a dark circuit board, featuring intricate gold and blue electronic traces and small components. The chain's hexagonal segments are interconnected, suggesting a complex, robust digital architecture

Parameters

  • Protocol Targeted ∞ New Gold Protocol (NGP)
  • Blockchain AffectedBNB Chain
  • Vulnerability Type ∞ Price Oracle Manipulation via Flash Loan
  • Exploited Function ∞ getPrice() function’s reliance on single Uniswap V2 pool
  • Financial Impact ∞ Approximately $2 Million
  • Date of Incident ∞ September 18, 2025
  • Funds DestinationTornado Cash

A prominent white toroidal shape forms the core, surrounded by a dense, shimmering mass of translucent blue cubic structures. Multiple smooth white spheres are strategically positioned, interconnected by thin black lines that weave through the blue elements

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source oracle solutions to prevent single points of failure in price discovery. Post-incident, NGP users face potential unrecoverable losses due to funds being routed through Tornado Cash. This event underscores the critical need for comprehensive security audits, particularly focusing on external dependencies and economic attack vectors like flash loans, to establish new security best practices across the DeFi landscape and prevent contagion risk to similar protocols.

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges

Verdict

This incident serves as a stark reminder that even seemingly minor design flaws in price oracle mechanisms can be leveraged by sophisticated flash loan attacks, leading to significant and often irreversible asset drains.

Signal Acquired from ∞ cryptotimes.io

Micro Crypto News Feeds

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

flash loans

Definition ∞ Flash loans are a type of uncollateralized loan in decentralized finance that must be borrowed and repaid within a single blockchain transaction.

flash loan attacks

Definition ∞ Flash loan attacks are a type of exploit in decentralized finance (DeFi) where an attacker borrows a large amount of cryptocurrency without collateral.

Tags:

Tags: