Skip to main content
Security

New Gold Protocol Suffers $2 Million Price Oracle Manipulation Exploit

A critical vulnerability in NGP's single-source price oracle allowed flash loan manipulation, enabling the illicit draining of $2 million and an 88% token value collapse.
September 18, 20253 min

A close-up view reveals a complex, translucent structural network, adorned with a frosty texture and embedded with reflective spheres. A prominent, metallic blue spiral element grounds the intricate connections
A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Briefing

The New Gold Protocol (NGP) on the Binance Smart Chain (BSC) was subjected to a sophisticated flash loan attack on September 18, 2025, resulting in the theft of approximately $2 million in Ethereum. This incident leveraged a critical flaw in NGP’s smart contract, specifically its reliance on a single Uniswap V2 liquidity pool for price determination, which allowed an attacker to manipulate the NGP token’s price oracle. The immediate consequence was a dramatic 88% collapse in the NGP token’s market value, severely impacting holders and underscoring the systemic risk of insecure oracle designs in decentralized finance.

A large, faceted blue crystal, translucent and exhibiting a slightly textured surface, is securely held within a brushed metallic housing. This precision-engineered apparatus features visible fasteners and strategic cutouts, indicating a robust, modular component

Context

Prior to this incident, the DeFi ecosystem has frequently demonstrated susceptibility to oracle manipulation, a known class of vulnerability where external price feeds, if not robustly designed, can be exploited. Protocols that derive token prices from single, easily influenced liquidity pools present a significant attack surface. The NGP protocol, operating with low transparency and trading volume, exhibited risk factors consistent with projects vulnerable to such economic exploits.

A prominent spherical object, textured like the moon with visible craters, is centrally positioned, appearing to push through a dense, intricate formation of blue and grey geometric shards. These angular, reflective structures create a sense of depth and dynamic movement, framing the emerging sphere

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which used a single Uniswap V2 pair’s reserves to calculate the NGP token’s value. The attacker initiated a flash loan to acquire a large quantity of assets, then used these assets to temporarily inflate the USDT reserve and deplete the NGP token reserve within the targeted Uniswap V2 pool. This manipulation artificially lowered the perceived price of NGP, enabling the attacker to bypass transaction limits and purchase a substantial amount of NGP tokens at a minimal cost. Subsequently, the attacker reversed the initial swap, repaid the flash loan, and secured a profit of 443.8 ETH, which was then routed through Tornado Cash for obfuscation.

A clear, angular shield with internal geometric refractions sits atop a glowing blue circuit board, symbolizing the security of digital assets. This imagery directly relates to the core principles of blockchain technology and cryptocurrency protection

Parameters

  • Protocol Targeted ∞ New Gold Protocol (NGP)
  • Attack Vector ∞ Price Oracle Manipulation via Flash Loan
  • Financial Impact ∞ ~$2 Million (443.8 ETH)
  • Blockchain AffectedBinance Smart Chain (BSC)
  • Vulnerability Root CauseSingle Uniswap V2 Liquidity Pool for Price Oracle
  • Token Price Impact ∞ NGP token crashed 88%
  • Post-Exploit Action ∞ Funds sent to Tornado Cash

Vivid blue crystalline formations, sharp and multifaceted, are bisected by smooth, white, futuristic conduits. This abstract composition visually articulates the complex genesis protocols underpinning decentralized ledger technologies

Outlook

This incident reinforces the critical need for multi-source, robust oracle designs that resist single-point-of-failure manipulation. Protocols must implement comprehensive smart contract audits focusing on economic vulnerabilities, especially those related to price feeds and liquidity pool interactions. For users, heightened vigilance regarding projects with low liquidity and unaudited contracts is paramount. The broader DeFi ecosystem should consider adopting decentralized oracle networks and time-weighted average prices (TWAP) to mitigate similar contagion risks, thereby enhancing overall security posture against flash loan-enabled exploits.

A pristine white torus encircles a vibrant, starburst arrangement of angular blue crystals against a dark background. The sharp, geometric facets of the crystals suggest data blocks or individual nodes within a distributed ledger

Verdict

The New Gold Protocol exploit serves as a stark reminder that inadequate oracle design remains a fundamental architectural flaw, capable of precipitating rapid asset drains and severe market instability within the digital asset landscape.

Signal Acquired from ∞ coinspeaker.com

Glossary

binance smart chain

The SEC's dismissal of its Binance suit signals a pivot from enforcement-led regulation to fraud prevention, redefining compliance priorities.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

attack vector

Attackers deployed a deceptive Etherscan-verified contract, leveraging the Safe Multi Send mechanism to bypass user scrutiny and drain over $3 million.

binance smart

The SEC's dismissal of its Binance suit signals a pivot from enforcement-led regulation to fraud prevention, redefining compliance priorities.

single uniswap

Uniswap v4 introduces modular "hooks" to its AMM, transforming it into a developer platform that significantly reduces gas costs and fosters unparalleled protocol-level innovation.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

oracle designs

This research fundamentally redefines transaction fee mechanism design by integrating active block producer behavior and proposing a novel sybil-proof auction for enhanced welfare.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: