Security

New Gold Protocol Suffers $2 Million Flash Loan Price Manipulation

A single-source price oracle vulnerability enabled a flash loan attack, compromising $2 million and exposing critical DeFi risk.
September 21, 20253 min

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges
A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for nearly $2 million via a sophisticated flash loan attack on September 18, 2025. This incident stemmed from a critical vulnerability in NGP’s getPrice() function, which relied on a single Uniswap V2 liquidity pool for token valuation, making it susceptible to price oracle manipulation. The attacker leveraged this flaw to drain assets from the protocol’s liquidity pool, subsequently funneling the stolen funds through Tornado Cash to obscure their origin.

A multifaceted, crystalline structure radiates outwards from a central, spherical core. The core features concentric rings and a smooth, white central orb, encased in transparent material revealing internal mechanisms

Context

Prior to this incident, the decentralized finance (DeFi) ecosystem has consistently faced risks associated with single-point-of-failure oracle designs. Protocols that derive asset prices from a sole liquidity source are inherently vulnerable to manipulation, particularly through flash loans. This known class of vulnerability, often exacerbated by insufficient smart contract audits, creates an exploitable attack surface for sophisticated actors.

A translucent, melting ice formation sits precariously on a detailed blue electronic substrate, evoking the concept of frozen liquidity within the cryptocurrency ecosystem. This imagery highlights the fragility of digital asset markets and the potential for blockchain network disruptions

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which determined the NGP token price by referencing only the reserves in its Uniswap V2 pool. The attacker initiated a flash loan to temporarily acquire a large volume of tokens, then executed a swap to manipulate the mainPair pool. This action artificially inflated the USDT reserve while depleting NGP tokens, causing the getPrice() function to report a significantly undervalued NGP token price. With the system compromised, the attacker bypassed transaction limits to purchase a substantial quantity of NGP tokens at the manipulated low price, effectively draining the protocol’s liquidity.

The image presents an abstract, high-tech structure featuring a central, translucent, twisted element adorned with silver bands, surrounded by geometric blue blocks and sleek metallic frames. This intricate design, set against a light background, suggests a complex engineered system with depth and interconnected components

Parameters

The image features a close-up of interconnected metallic components, primarily in a vibrant, textured blue and polished silver. Thin gray wires crisscross between the modules, suggesting complex internal wiring and data transfer pathways crucial for high-speed data integrity

Outlook

Immediate mitigation for protocols involves implementing robust, multi-source price oracles to prevent single-point manipulation. This incident underscores the urgent need for comprehensive, independent smart contract audits and continuous security monitoring, particularly for newly launched projects. The contagion risk remains high for similar DeFi protocols relying on simplistic price feeds, necessitating a re-evaluation of their oracle infrastructure to establish new security best practices and prevent future exploits.

A futuristic mechanical device, composed of metallic silver and blue components, is prominently featured, partially covered in a fine white frost or crystalline substance. The central blue element glows softly, indicating internal activity within the complex, modular structure

The NGP Exploit Serves as a Stark Reminder That Foundational Security Principles, Such as Decentralized Oracle Design, Are Non-Negotiable for Maintaining Trust and Capital Integrity in the Digital Asset Landscape.

Signal Acquired from → cryptotimes.io

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

stolen funds

Definition ∞ Stolen funds represent digital assets that have been unlawfully acquired from their rightful owners.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: