New Gold Protocol Suffers $2 Million Flash Loan Price Manipulation ∞ Security

A transparent sphere with layered blue digital elements is positioned next to a cubic structure revealing complex blue circuitry and a central white emblem. A clear panel is shown in the process of being removed from the cube, exposing its inner workings

A sophisticated mechanical construct featuring polished silver, translucent blue, and clear components is intricately assembled, interconnected by thin black wires. This complex device appears to be a conceptual model of a highly advanced, multi-faceted system, embodying the principles of decentralized finance DeFi

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for nearly $2 million via a sophisticated flash loan attack on September 18, 2025. This incident stemmed from a critical vulnerability in NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool for token valuation, making it susceptible to price oracle manipulation. The attacker leveraged this flaw to drain assets from the protocol’s liquidity pool, subsequently funneling the stolen funds through Tornado Cash to obscure their origin.

A close-up view reveals an array of interconnected, futuristic modular components. The central focus is a white, smooth, cube-shaped unit featuring multiple circular lenses, linked to translucent blue sections exposing intricate internal mechanisms

Context

Prior to this incident, the decentralized finance (DeFi) ecosystem has consistently faced risks associated with single-point-of-failure oracle designs. Protocols that derive asset prices from a sole liquidity source are inherently vulnerable to manipulation, particularly through flash loans. This known class of vulnerability, often exacerbated by insufficient smart contract audits, creates an exploitable attack surface for sophisticated actors.

A white, glossy sphere with silver metallic accents is encircled by a smooth white ring, set against a dark grey background. Dynamic, translucent blue fluid-like structures surround and interact with the central sphere and ring, suggesting energetic movement

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which determined the NGP token price by referencing only the reserves in its Uniswap V2 pool. The attacker initiated a flash loan to temporarily acquire a large volume of tokens, then executed a swap to manipulate the mainPair pool. This action artificially inflated the USDT reserve while depleting NGP tokens, causing the getPrice() function to report a significantly undervalued NGP token price. With the system compromised, the attacker bypassed transaction limits to purchase a substantial quantity of NGP tokens at the manipulated low price, effectively draining the protocol’s liquidity.

A light blue, organic-textured outer layer partially reveals intricate dark blue and metallic silver mechanical components beneath. The central focus highlights a glowing circular mechanism alongside a distinct square module, indicating advanced technological architecture

Parameters

Protocol Targeted ∞ New Gold Protocol (NGP)
Financial Impact ∞ ~$2 Million
Attack Vector ∞ Price Oracle Manipulation via Flash Loan
Vulnerability ∞ Single-source getPrice() function
Blockchain ∞ BNB Chain
Stolen Funds Destination ∞ Tornado Cash
Date of Incident ∞ September 18, 2025

A detailed macro shot presents an advanced electronic circuit component, showcasing transparent casing over a central processing unit and numerous metallic connectors. The component features intricate wiring and gold-plated contact pins, set against a backdrop of blurred similar technological elements in cool blue and silver tones

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source price oracles to prevent single-point manipulation. This incident underscores the urgent need for comprehensive, independent smart contract audits and continuous security monitoring, particularly for newly launched projects. The contagion risk remains high for similar DeFi protocols relying on simplistic price feeds, necessitating a re-evaluation of their oracle infrastructure to establish new security best practices and prevent future exploits.