Security

New Gold Protocol Suffers $2 Million Price Oracle Manipulation Exploit

A critical vulnerability in NGP's single-source price oracle allowed flash loan manipulation, enabling the illicit draining of $2 million and an 88% token value collapse.
September 18, 20253 min

A close-up view reveals a dense, abstract network composed of intertwined metallic blue conduits, dark insulated wires, and various geometric metallic components. Integrated within this structure are several connector blocks featuring gold-colored pins, resembling high-density data transfer interfaces
A close-up view reveals a complex, translucent structural network, adorned with a frosty texture and embedded with reflective spheres. A prominent, metallic blue spiral element grounds the intricate connections

Briefing

The New Gold Protocol (NGP) on the Binance Smart Chain (BSC) was subjected to a sophisticated flash loan attack on September 18, 2025, resulting in the theft of approximately $2 million in Ethereum. This incident leveraged a critical flaw in NGP’s smart contract, specifically its reliance on a single Uniswap V2 liquidity pool for price determination, which allowed an attacker to manipulate the NGP token’s price oracle. The immediate consequence was a dramatic 88% collapse in the NGP token’s market value, severely impacting holders and underscoring the systemic risk of insecure oracle designs in decentralized finance.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Context

Prior to this incident, the DeFi ecosystem has frequently demonstrated susceptibility to oracle manipulation, a known class of vulnerability where external price feeds, if not robustly designed, can be exploited. Protocols that derive token prices from single, easily influenced liquidity pools present a significant attack surface. The NGP protocol, operating with low transparency and trading volume, exhibited risk factors consistent with projects vulnerable to such economic exploits.

A modern, white and metallic cylindrical apparatus lies partially submerged in dark blue, rippling water, actively discharging a large volume of white, powdery substance. The substance forms a significant pile both emerging from the device and spreading across the water's surface

Analysis

The attack vector exploited NGP’s smart contract logic, specifically its getPrice() function, which used a single Uniswap V2 pair’s reserves to calculate the NGP token’s value. The attacker initiated a flash loan to acquire a large quantity of assets, then used these assets to temporarily inflate the USDT reserve and deplete the NGP token reserve within the targeted Uniswap V2 pool. This manipulation artificially lowered the perceived price of NGP, enabling the attacker to bypass transaction limits and purchase a substantial amount of NGP tokens at a minimal cost. Subsequently, the attacker reversed the initial swap, repaid the flash loan, and secured a profit of 443.8 ETH, which was then routed through Tornado Cash for obfuscation.

A close-up view presents a clear, undulating transparent structure with vibrant blue reflections, set against a blurred background of metallic machinery. This visual metaphor illustrates the intricate dynamics of a blockchain network

Parameters

  • Protocol Targeted → New Gold Protocol (NGP)
  • Attack Vector → Price Oracle Manipulation via Flash Loan
  • Financial Impact → ~$2 Million (443.8 ETH)
  • Blockchain Affected → Binance Smart Chain (BSC)
  • Vulnerability Root Cause → Single Uniswap V2 Liquidity Pool for Price Oracle
  • Token Price Impact → NGP token crashed 88%
  • Post-Exploit Action → Funds sent to Tornado Cash

A pristine, glossy white sphere floats centrally, surrounded by intricate, highly reflective blue and silver metallic structures. White, powdery snow-like particles are scattered across and nestled within these complex forms

Outlook

This incident reinforces the critical need for multi-source, robust oracle designs that resist single-point-of-failure manipulation. Protocols must implement comprehensive smart contract audits focusing on economic vulnerabilities, especially those related to price feeds and liquidity pool interactions. For users, heightened vigilance regarding projects with low liquidity and unaudited contracts is paramount. The broader DeFi ecosystem should consider adopting decentralized oracle networks and time-weighted average prices (TWAP) to mitigate similar contagion risks, thereby enhancing overall security posture against flash loan-enabled exploits.

A vibrant, multifaceted blue digital asset, reminiscent of a high-value token or a core cryptographic primitive, is seen partially immersed in a bed of white, effervescent foam. Adjacent to it, a sleek metallic device, potentially a hardware wallet or a component of a node, is also touched by the foam

Verdict

The New Gold Protocol exploit serves as a stark reminder that inadequate oracle design remains a fundamental architectural flaw, capable of precipitating rapid asset drains and severe market instability within the digital asset landscape.

Signal Acquired from → coinspeaker.com

Micro Crypto News Feeds

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

smart chain

Definition ∞ A Smart Chain is a type of blockchain network specifically designed to support the execution of smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

defi ecosystem

Definition ∞ The DeFi Ecosystem refers to the interconnected network of decentralized finance applications and protocols built on blockchain technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: