New Gold Protocol Suffers $2 Million Flash Loan Price Manipulation → Security

A clear cubic prism is positioned on a detailed, illuminated blue circuit board, suggesting a fusion of digital infrastructure and advanced security. The circuit board's complex layout represents the intricate design of blockchain networks and their distributed consensus mechanisms

A white, high-tech module is shown partially separated, revealing glowing blue internal components and metallic rings. The detached front section features a circular opening, while the main body displays intricate, illuminated circuitry

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for nearly $2 million via a sophisticated flash loan attack on September 18, 2025. This incident stemmed from a critical vulnerability in NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool for token valuation, making it susceptible to price oracle manipulation. The attacker leveraged this flaw to drain assets from the protocol’s liquidity pool, subsequently funneling the stolen funds through Tornado Cash to obscure their origin.

The image showcases a metallic, lens-shaped core object centrally positioned, enveloped by an intricate, glowing white network of interconnected lines and dots. This mesh structure interacts with a fluid, crystalline blue substance that appears to emanate from or surround the core, all set against a gradient grey-blue background

Context

Prior to this incident, the decentralized finance (DeFi) ecosystem has consistently faced risks associated with single-point-of-failure oracle designs. Protocols that derive asset prices from a sole liquidity source are inherently vulnerable to manipulation, particularly through flash loans. This known class of vulnerability, often exacerbated by insufficient smart contract audits, creates an exploitable attack surface for sophisticated actors.

A futuristic, multi-segmented white device with visible internal components and solar panels is partially submerged in turbulent blue water. The water actively splashes around the device, creating numerous bubbles and visible ripples across the surface

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which determined the NGP token price by referencing only the reserves in its Uniswap V2 pool. The attacker initiated a flash loan to temporarily acquire a large volume of tokens, then executed a swap to manipulate the mainPair pool. This action artificially inflated the USDT reserve while depleting NGP tokens, causing the getPrice() function to report a significantly undervalued NGP token price. With the system compromised, the attacker bypassed transaction limits to purchase a substantial quantity of NGP tokens at the manipulated low price, effectively draining the protocol’s liquidity.

A close-up view presents two sophisticated, futuristic mechanical modules poised for connection, featuring transparent blue components revealing intricate internal mechanisms and glowing accents. The left unit displays a clear outer shell, exposing complex digital circuits, while the right unit, primarily opaque white, extends a translucent blue cylindrical connector towards it

Parameters

Protocol Targeted → New Gold Protocol (NGP)
Financial Impact → ~$2 Million
Attack Vector → Price Oracle Manipulation via Flash Loan
Vulnerability → Single-source getPrice() function
Blockchain → BNB Chain
Stolen Funds Destination → Tornado Cash
Date of Incident → September 18, 2025

A highly detailed, futuristic spherical module features sleek white external panels revealing complex internal metallic mechanisms. A brilliant blue energy beam or data stream projects from its core, with similar modules blurred in the background, suggesting a vast interconnected system

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source price oracles to prevent single-point manipulation. This incident underscores the urgent need for comprehensive, independent smart contract audits and continuous security monitoring, particularly for newly launched projects. The contagion risk remains high for similar DeFi protocols relying on simplistic price feeds, necessitating a re-evaluation of their oracle infrastructure to establish new security best practices and prevent future exploits.