Security

New Gold Protocol Suffers $2 Million Price Oracle Manipulation Exploit

A critical vulnerability in NGP's single-source price oracle allowed flash loan manipulation, enabling the illicit draining of $2 million and an 88% token value collapse.
September 18, 20253 min

A pristine, glossy white sphere floats centrally, surrounded by intricate, highly reflective blue and silver metallic structures. White, powdery snow-like particles are scattered across and nestled within these complex forms
A pristine white torus encircles a vibrant, starburst arrangement of angular blue crystals against a dark background. The sharp, geometric facets of the crystals suggest data blocks or individual nodes within a distributed ledger

Briefing

The New Gold Protocol (NGP) on the Binance Smart Chain (BSC) was subjected to a sophisticated flash loan attack on September 18, 2025, resulting in the theft of approximately $2 million in Ethereum. This incident leveraged a critical flaw in NGP’s smart contract, specifically its reliance on a single Uniswap V2 liquidity pool for price determination, which allowed an attacker to manipulate the NGP token’s price oracle. The immediate consequence was a dramatic 88% collapse in the NGP token’s market value, severely impacting holders and underscoring the systemic risk of insecure oracle designs in decentralized finance.

The image displays an abstract composition featuring textured blue and white cloud-like forms, transparent geometric objects, and a detailed moon-like sphere. These elements float within a digital-looking environment, creating a sense of depth and complexity

Context

Prior to this incident, the DeFi ecosystem has frequently demonstrated susceptibility to oracle manipulation, a known class of vulnerability where external price feeds, if not robustly designed, can be exploited. Protocols that derive token prices from single, easily influenced liquidity pools present a significant attack surface. The NGP protocol, operating with low transparency and trading volume, exhibited risk factors consistent with projects vulnerable to such economic exploits.

A crystal-clear sphere reveals a miniature, complex circuit board architecture, complete with detailed blue and silver components. At its core, a smooth white sphere rests, symbolizing a foundational element or a single block within a chain

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which used a single Uniswap V2 pair’s reserves to calculate the NGP token’s value. The attacker initiated a flash loan to acquire a large quantity of assets, then used these assets to temporarily inflate the USDT reserve and deplete the NGP token reserve within the targeted Uniswap V2 pool. This manipulation artificially lowered the perceived price of NGP, enabling the attacker to bypass transaction limits and purchase a substantial amount of NGP tokens at a minimal cost. Subsequently, the attacker reversed the initial swap, repaid the flash loan, and secured a profit of 443.8 ETH, which was then routed through Tornado Cash for obfuscation.

The image showcases a high-tech modular system composed of white and metallic units, connected centrally by intricate mechanisms and multiple conduits. Prominent blue solar arrays are attached, providing an energy source to the structure, set against a blurred background suggesting an expansive, possibly orbital, environment

Parameters

  • Protocol Targeted → New Gold Protocol (NGP)
  • Attack Vector → Price Oracle Manipulation via Flash Loan
  • Financial Impact → ~$2 Million (443.8 ETH)
  • Blockchain Affected → Binance Smart Chain (BSC)
  • Vulnerability Root Cause → Single Uniswap V2 Liquidity Pool for Price Oracle
  • Token Price Impact → NGP token crashed 88%
  • Post-Exploit Action → Funds sent to Tornado Cash

A vibrant, multifaceted blue digital asset, reminiscent of a high-value token or a core cryptographic primitive, is seen partially immersed in a bed of white, effervescent foam. Adjacent to it, a sleek metallic device, potentially a hardware wallet or a component of a node, is also touched by the foam

Outlook

This incident reinforces the critical need for multi-source, robust oracle designs that resist single-point-of-failure manipulation. Protocols must implement comprehensive smart contract audits focusing on economic vulnerabilities, especially those related to price feeds and liquidity pool interactions. For users, heightened vigilance regarding projects with low liquidity and unaudited contracts is paramount. The broader DeFi ecosystem should consider adopting decentralized oracle networks and time-weighted average prices (TWAP) to mitigate similar contagion risks, thereby enhancing overall security posture against flash loan-enabled exploits.

A close-up view reveals an intricate structure composed of luminous blue faceted elements and sleek metallic components. A prominent circular section on the right emits a bright blue glow, indicating an internal energy source or processing unit

Verdict

The New Gold Protocol exploit serves as a stark reminder that inadequate oracle design remains a fundamental architectural flaw, capable of precipitating rapid asset drains and severe market instability within the digital asset landscape.

Signal Acquired from → coinspeaker.com

Micro Crypto News Feeds

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

defi ecosystem

Definition ∞ The DeFi Ecosystem refers to the interconnected network of decentralized finance applications and protocols built on blockchain technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: