Security

New Gold Protocol Suffers $2 Million Price Oracle Manipulation Exploit

A critical vulnerability in NGP's single-source price oracle allowed flash loan manipulation, enabling the illicit draining of $2 million and an 88% token value collapse.
September 18, 20253 min

The image displays an abstract composition featuring textured blue and white cloud-like forms, transparent geometric objects, and a detailed moon-like sphere. These elements float within a digital-looking environment, creating a sense of depth and complexity
A modern, white and metallic cylindrical apparatus lies partially submerged in dark blue, rippling water, actively discharging a large volume of white, powdery substance. The substance forms a significant pile both emerging from the device and spreading across the water's surface

Briefing

The New Gold Protocol (NGP) on the Binance Smart Chain (BSC) was subjected to a sophisticated flash loan attack on September 18, 2025, resulting in the theft of approximately $2 million in Ethereum. This incident leveraged a critical flaw in NGP’s smart contract, specifically its reliance on a single Uniswap V2 liquidity pool for price determination, which allowed an attacker to manipulate the NGP token’s price oracle. The immediate consequence was a dramatic 88% collapse in the NGP token’s market value, severely impacting holders and underscoring the systemic risk of insecure oracle designs in decentralized finance.

A vibrant blue central light source illuminates an intricate cluster of blue and dark grey rectangular rods, forming a dense, radial structure. White, smooth spherical objects, some with smaller attached spheres, are positioned around this core, interconnected by delicate white filaments

Context

Prior to this incident, the DeFi ecosystem has frequently demonstrated susceptibility to oracle manipulation, a known class of vulnerability where external price feeds, if not robustly designed, can be exploited. Protocols that derive token prices from single, easily influenced liquidity pools present a significant attack surface. The NGP protocol, operating with low transparency and trading volume, exhibited risk factors consistent with projects vulnerable to such economic exploits.

The image presents a detailed view of a sophisticated, futuristic mechanism, featuring transparent blue conduits and glowing internal elements alongside polished silver-grey metallic structures. The composition highlights intricate connections and internal processes, suggesting a high-tech operational core

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which used a single Uniswap V2 pair’s reserves to calculate the NGP token’s value. The attacker initiated a flash loan to acquire a large quantity of assets, then used these assets to temporarily inflate the USDT reserve and deplete the NGP token reserve within the targeted Uniswap V2 pool. This manipulation artificially lowered the perceived price of NGP, enabling the attacker to bypass transaction limits and purchase a substantial amount of NGP tokens at a minimal cost. Subsequently, the attacker reversed the initial swap, repaid the flash loan, and secured a profit of 443.8 ETH, which was then routed through Tornado Cash for obfuscation.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Parameters

  • Protocol Targeted → New Gold Protocol (NGP)
  • Attack Vector → Price Oracle Manipulation via Flash Loan
  • Financial Impact → ~$2 Million (443.8 ETH)
  • Blockchain Affected → Binance Smart Chain (BSC)
  • Vulnerability Root Cause → Single Uniswap V2 Liquidity Pool for Price Oracle
  • Token Price Impact → NGP token crashed 88%
  • Post-Exploit Action → Funds sent to Tornado Cash

The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Outlook

This incident reinforces the critical need for multi-source, robust oracle designs that resist single-point-of-failure manipulation. Protocols must implement comprehensive smart contract audits focusing on economic vulnerabilities, especially those related to price feeds and liquidity pool interactions. For users, heightened vigilance regarding projects with low liquidity and unaudited contracts is paramount. The broader DeFi ecosystem should consider adopting decentralized oracle networks and time-weighted average prices (TWAP) to mitigate similar contagion risks, thereby enhancing overall security posture against flash loan-enabled exploits.

A sleek, futuristic white and metallic cylindrical apparatus rests partially submerged in dark blue water. From its open end, a significant volume of white, granular substance and vibrant blue particles ejects, creating turbulent ripples

Verdict

The New Gold Protocol exploit serves as a stark reminder that inadequate oracle design remains a fundamental architectural flaw, capable of precipitating rapid asset drains and severe market instability within the digital asset landscape.

Signal Acquired from → coinspeaker.com

Micro Crypto News Feeds

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

defi ecosystem

Definition ∞ The DeFi Ecosystem refers to the interconnected network of decentralized finance applications and protocols built on blockchain technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: