Skip to main content
Security

New Gold Protocol Drained by Flash Loan Oracle Manipulation

Single-source oracle reliance in DeFi protocols creates critical price manipulation vectors, exposing users to immediate asset devaluation and loss.
September 23, 20253 min

The image displays a detailed view of a sophisticated, futuristic mechanism, predominantly featuring metallic silver components and translucent blue elements with intricate, bubbly textures. A prominent central lens and a smaller secondary lens are visible, alongside other circular structures and a slotted white panel on the left, suggesting advanced data capture and processing capabilities
A close-up view reveals a modern device featuring a translucent blue casing and a prominent brushed metallic surface. The blue component, with its smooth, rounded contours, rests on a lighter, possibly silver-toned base, suggesting a sophisticated piece of technology

Briefing

The New Gold Protocol (NGP) on Binance Smart Chain suffered a $2 million flash loan exploit, leveraging a critical price oracle manipulation vulnerability. This incident led to an 88% devaluation of the NGP token, demonstrating the severe financial consequences for affected users and the protocol’s ecosystem. The attacker exploited NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool, enabling the artificial suppression of the token’s price within a single transaction.

A sophisticated, silver-toned modular device, featuring a prominent circular interface with a blue accent and various rectangular inputs, is dynamically positioned amidst a flowing, translucent blue material. The device's sleek, futuristic design suggests advanced technological capabilities, with the blue element appearing to interact with its structure

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks from oracle manipulation, particularly when protocols depend on single, easily influenceable price feeds. The reliance on spot prices from individual decentralized exchange pools has been a known vulnerability, creating an exploitable attack surface for sophisticated actors employing flash loans. Such architectural weaknesses represent a systemic risk across many nascent DeFi projects.

A futuristic, translucent blue spherical object, resembling a secure network node, features a prominent central display. This display presents a dynamic candlestick chart, showing real-time price action with distinct bullish blue and bearish red patterns, partially veiled by metallic grilles

Analysis

The New Gold Protocol’s getPrice() smart contract function, designed to determine token value, was the primary system compromised. The attacker initiated the exploit by acquiring a substantial flash loan, which provided the capital to manipulate the NGP/USDT Uniswap V2 liquidity pool. By executing a large swap, the attacker artificially inflated the USDT reserves and simultaneously depleted the NGP token reserves, causing the getPrice() function to report an inaccurate, significantly lower NGP price.

This manipulated price allowed the attacker to bypass the protocol’s transaction limits, acquiring a large quantity of NGP tokens at a heavily discounted rate. Following the acquisition, the attacker reversed the initial swap, repaid the flash loan, and profited from the price differential, subsequently moving the stolen funds through Tornado Cash for anonymization.

A futuristic, multi-segmented white sphere is shown partially open, revealing a dense cluster of glowing blue, translucent cubic forms within its core. These internal cubes feature intricate white line patterns and symbols, suggesting complex data structures

Parameters

  • Protocol Targeted ∞ New Gold Protocol (NGP)
  • Attack VectorPrice Oracle Manipulation via Flash Loan
  • Financial Impact ∞ $2 Million
  • Blockchain ∞ Binance Smart Chain (BSC)
  • Vulnerable Function ∞ getPrice()
  • Price Devaluation ∞ 88% (NGP token)
  • Fund LaunderingTornado Cash

A blue translucent fluid flows dynamically around a metallic, block-like structure and a central cross-shaped component. The fluid creates splashes and numerous small bubbles as it moves across the surface

Outlook

In the immediate aftermath, protocols must prioritize the implementation of robust, multi-source oracle solutions to prevent similar price manipulation attacks. Users should exercise extreme caution with DeFi platforms relying on single-point price feeds, understanding the inherent risk of flash loan vulnerabilities. This incident will likely reinforce the industry’s push for more comprehensive smart contract audits that specifically scrutinize oracle dependencies and transaction limit bypasses, establishing new security best practices to mitigate contagion risk across similar protocols.

A striking abstract visual features a translucent blue block, appearing crystalline or ice-like, encapsulating a soft, white, textured mass. A sharp, white, needle-like object with a small black eye precisely pierces both the blue block and the white interior

Verdict

This exploit serves as a stark reminder that even seemingly minor architectural flaws, such as single-source oracle dependencies, can be leveraged by sophisticated actors for significant financial gain, underscoring the continuous need for rigorous security posture and diversified risk mitigation in DeFi.

Signal Acquired from ∞ CoinCentral

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

transaction limits

Definition ∞ Transaction limits are predefined constraints on the number, size, or value of operations that can be processed within a specific timeframe or by a particular user or system.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: