Skip to main content
Security

New Gold Protocol Suffers $2m Flash Loan Oracle Manipulation

A flawed pricing oracle, susceptible to flash loan manipulation, enabled an attacker to drain nearly $2 million from a newly launched DeFi protocol.
September 20, 20253 min

A high-resolution close-up showcases a futuristic, metallic lens system integrated into an organic, textured blue casing, adorned with translucent patterns and small bubbles. Ancillary metallic components and a white slotted structure are visible on the periphery, highlighting intricate design details
A futuristic metallic apparatus, resembling a high-performance blockchain node, is enveloped by a dense, light-blue particulate cloud. Transparent conduits connect segments of the device, hinting at internal mechanisms and data flow

Briefing

The New Gold Protocol, an AI-driven DeFi 3.0 staking platform on BNB Chain, was exploited for approximately $1.9 million just hours after its launch on September 18, 2025. The attack leveraged a flash loan to manipulate the protocol’s internal pricing oracle, leading to the unauthorized minting and subsequent draining of BUSD tokens. This incident highlights severe vulnerabilities in the protocol’s design, resulting in an 88% plummet in the NGP token price and significant financial loss for early participants.

A striking abstract visual features a translucent blue block, appearing crystalline or ice-like, encapsulating a soft, white, textured mass. A sharp, white, needle-like object with a small black eye precisely pierces both the blue block and the white interior

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface rooted in price oracle manipulation and flash loan vulnerabilities. Many protocols, especially those newly launched, often exhibit a lack of standardized mechanisms for behavior pricing, rendering them susceptible to economic exploits. The ability to borrow vast amounts of capital without collateral via flash loans provides threat actors with the means to execute sophisticated price manipulation attacks, a known class of vulnerability that has historically resulted in millions in losses across various platforms.

A transparent, flowing conduit connects to a metallic interface, which is securely plugged into a blue, rectangular device. This device is mounted on a dark, textured base, secured by visible screws, suggesting a robust and precise engineering

Analysis

The core system compromised was the New Gold Protocol’s internal token pricing mechanism, which determined the NGP token price by scanning its reserves in the DEX’s liquidity pool. The attacker initiated the exploit by accumulating a high volume of assets through flash loans across different accounts. This enabled them to execute a series of BUSD to NGP swaps on PancakePair, artificially inflating the NGP token’s price.

Crucially, the attacker bypassed the protocol’s integrated buying and cooldown limits by designating a “dEaD” address as the recipient, thereby circumventing intended security controls. This chain of cause and effect allowed the attacker to then sell the inflated NGP tokens, draining nearly all BUSD from the protocol’s liquidity pools, ultimately converting the stolen $1.9 million into BNB-based ETH and channeling it through Tornado Cash.

A pristine white torus encircles a vibrant, starburst arrangement of angular blue crystals against a dark background. The sharp, geometric facets of the crystals suggest data blocks or individual nodes within a distributed ledger

Parameters

  • Protocol Targeted ∞ New Gold Protocol
  • Attack Vector ∞ Flash Loan, Price Oracle Manipulation
  • Financial Impact ∞ ~$1.9 Million
  • BlockchainBNB Chain
  • Vulnerability ∞ Flawed Internal Pricing Oracle, Limit Bypass
  • Funds Destination ∞ Tornado Cash

A visually striking tunnel-like structure, composed of intricate blue and white crystalline formations, frames a perfectly centered full moon against a soft grey sky. The varying shades of blue and the textured surfaces create a sense of depth and organic complexity within this icy pathway

Outlook

In the immediate aftermath, users should exercise extreme caution with nascent DeFi protocols, especially those making “DeFi 3.0” claims without transparent, verifiable security audits. This incident will likely establish new best practices emphasizing the critical need for robust, decentralized external price oracles and comprehensive pre-launch security audits that specifically address economic attack vectors. The contagion risk extends to similar protocols that rely on internal, easily manipulated pricing mechanisms, necessitating a systemic review of smart contract logic and a shift towards more resilient oracle solutions across the ecosystem.

Central to the image is a metallic core flanked by translucent blue, geometric components, all surrounded by a vibrant, frothy white substance. These elements combine to depict an intricate digital process

Verdict

This incident underscores the critical necessity for comprehensive security audits and robust oracle mechanisms to safeguard nascent DeFi protocols against sophisticated economic exploits.

Signal Acquired from ∞ crypto.news

Micro Crypto News Feeds

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security audits

Definition ∞ Security audits are systematic examinations of a system, application, or smart contract to identify vulnerabilities and weaknesses.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

Tags:

Tags: