New Gold Protocol Suffers $2 Million Flash Loan Price Manipulation → Security

A close-up view reveals two complex, futuristic mechanical components connecting, generating a bright blue energy discharge at their interface. The structures feature white and grey outer plating, exposing intricate dark internal mechanisms illuminated by subtle blue lights and the central energy burst

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for nearly $2 million via a sophisticated flash loan attack on September 18, 2025. This incident stemmed from a critical vulnerability in NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool for token valuation, making it susceptible to price oracle manipulation. The attacker leveraged this flaw to drain assets from the protocol’s liquidity pool, subsequently funneling the stolen funds through Tornado Cash to obscure their origin.

A highly detailed, futuristic spherical module features sleek white external panels revealing complex internal metallic mechanisms. A brilliant blue energy beam or data stream projects from its core, with similar modules blurred in the background, suggesting a vast interconnected system

Context

Prior to this incident, the decentralized finance (DeFi) ecosystem has consistently faced risks associated with single-point-of-failure oracle designs. Protocols that derive asset prices from a sole liquidity source are inherently vulnerable to manipulation, particularly through flash loans. This known class of vulnerability, often exacerbated by insufficient smart contract audits, creates an exploitable attack surface for sophisticated actors.

The image features a close-up of interconnected metallic components, primarily in a vibrant, textured blue and polished silver. Thin gray wires crisscross between the modules, suggesting complex internal wiring and data transfer pathways crucial for high-speed data integrity

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which determined the NGP token price by referencing only the reserves in its Uniswap V2 pool. The attacker initiated a flash loan to temporarily acquire a large volume of tokens, then executed a swap to manipulate the mainPair pool. This action artificially inflated the USDT reserve while depleting NGP tokens, causing the getPrice() function to report a significantly undervalued NGP token price. With the system compromised, the attacker bypassed transaction limits to purchase a substantial quantity of NGP tokens at the manipulated low price, effectively draining the protocol’s liquidity.

A close-up view presents a sophisticated metallic device, predominantly silver and blue, revealing intricate internal gears and components, some featuring striking red details, all situated on a deep blue backdrop. A central, brushed metal plate with a bright blue circular ring is partially lifted, exposing the complex mechanical workings beneath

Parameters

Protocol Targeted → New Gold Protocol (NGP)
Financial Impact → ~$2 Million
Attack Vector → Price Oracle Manipulation via Flash Loan
Vulnerability → Single-source getPrice() function
Blockchain → BNB Chain
Stolen Funds Destination → Tornado Cash
Date of Incident → September 18, 2025

A futuristic, modular white satellite-like structure with solar panels propels a vigorous stream of frothy blue water into a cloudy, watery expanse. This central aperture serves as a symbolic protocol gateway, channeling immense data availability or liquidity flow

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source price oracles to prevent single-point manipulation. This incident underscores the urgent need for comprehensive, independent smart contract audits and continuous security monitoring, particularly for newly launched projects. The contagion risk remains high for similar DeFi protocols relying on simplistic price feeds, necessitating a re-evaluation of their oracle infrastructure to establish new security best practices and prevent future exploits.