New Gold Protocol Suffers $2 Million Flash Loan Price Manipulation ∞ Security

A prominent spherical object, textured like the moon with visible craters, is centrally positioned, appearing to push through a dense, intricate formation of blue and grey geometric shards. These angular, reflective structures create a sense of depth and dynamic movement, framing the emerging sphere

A close-up view reveals a complex, translucent structural network, adorned with a frosty texture and embedded with reflective spheres. A prominent, metallic blue spiral element grounds the intricate connections

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for nearly $2 million via a sophisticated flash loan attack on September 18, 2025. This incident stemmed from a critical vulnerability in NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool for token valuation, making it susceptible to price oracle manipulation. The attacker leveraged this flaw to drain assets from the protocol’s liquidity pool, subsequently funneling the stolen funds through Tornado Cash to obscure their origin.

The image presents an abstract, high-tech structure featuring a central, translucent, twisted element adorned with silver bands, surrounded by geometric blue blocks and sleek metallic frames. This intricate design, set against a light background, suggests a complex engineered system with depth and interconnected components

Context

Prior to this incident, the decentralized finance (DeFi) ecosystem has consistently faced risks associated with single-point-of-failure oracle designs. Protocols that derive asset prices from a sole liquidity source are inherently vulnerable to manipulation, particularly through flash loans. This known class of vulnerability, often exacerbated by insufficient smart contract audits, creates an exploitable attack surface for sophisticated actors.

A prominent metallic, spiraling structure, featuring concentric rings, emerges from a rippling body of water, with a luminous white cloud and blue crystalline fragments contained within its central vortex. The background presents a clean, light blue gradient with subtle vertical lines, suggesting a high-tech, digital environment

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which determined the NGP token price by referencing only the reserves in its Uniswap V2 pool. The attacker initiated a flash loan to temporarily acquire a large volume of tokens, then executed a swap to manipulate the mainPair pool. This action artificially inflated the USDT reserve while depleting NGP tokens, causing the getPrice() function to report a significantly undervalued NGP token price. With the system compromised, the attacker bypassed transaction limits to purchase a substantial quantity of NGP tokens at the manipulated low price, effectively draining the protocol’s liquidity.

The image showcases a high-tech modular system composed of white and metallic units, connected centrally by intricate mechanisms and multiple conduits. Prominent blue solar arrays are attached, providing an energy source to the structure, set against a blurred background suggesting an expansive, possibly orbital, environment

Parameters

Protocol Targeted ∞ New Gold Protocol (NGP)
Financial Impact ∞ ~$2 Million
Attack Vector ∞ Price Oracle Manipulation via Flash Loan
Vulnerability ∞ Single-source getPrice() function
Blockchain ∞ BNB Chain
Stolen Funds Destination ∞ Tornado Cash
Date of Incident ∞ September 18, 2025

A futuristic, multi-segmented white device with visible internal components and solar panels is partially submerged in turbulent blue water. The water actively splashes around the device, creating numerous bubbles and visible ripples across the surface

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source price oracles to prevent single-point manipulation. This incident underscores the urgent need for comprehensive, independent smart contract audits and continuous security monitoring, particularly for newly launched projects. The contagion risk remains high for similar DeFi protocols relying on simplistic price feeds, necessitating a re-evaluation of their oracle infrastructure to establish new security best practices and prevent future exploits.