Security

New Gold Protocol Suffers $2m Flash Loan Oracle Manipulation

A flawed pricing oracle, susceptible to flash loan manipulation, enabled an attacker to drain nearly $2 million from a newly launched DeFi protocol.
September 20, 20253 min

A futuristic, intricate mechanical device is presented, featuring a detailed central circular mechanism surrounded by angular blue and silver housing. Visible gold and silver gears are precisely arranged within the core, suggesting complex internal operations
The image showcases a series of transparent, bulbous containers partially filled with a textured, deep blue substance, interconnected by slender metallic wires and capped with cylindrical silver components. The foreground elements are sharply focused, while the background blurs into a soft grey, emphasizing the intricate central arrangement

Briefing

The New Gold Protocol, an AI-driven DeFi 3.0 staking platform on BNB Chain, was exploited for approximately $1.9 million just hours after its launch on September 18, 2025. The attack leveraged a flash loan to manipulate the protocol’s internal pricing oracle, leading to the unauthorized minting and subsequent draining of BUSD tokens. This incident highlights severe vulnerabilities in the protocol’s design, resulting in an 88% plummet in the NGP token price and significant financial loss for early participants.

A close-up view presents a complex mechanical device with a bright blue energy beam flowing through its core. The device features sleek white outer casings and an intricate inner structure composed of metallic and translucent blue components

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface rooted in price oracle manipulation and flash loan vulnerabilities. Many protocols, especially those newly launched, often exhibit a lack of standardized mechanisms for behavior pricing, rendering them susceptible to economic exploits. The ability to borrow vast amounts of capital without collateral via flash loans provides threat actors with the means to execute sophisticated price manipulation attacks, a known class of vulnerability that has historically resulted in millions in losses across various platforms.

Intricate blue and silver mechanical structures form a detailed technological landscape. A central focus is a cluster of metallic wires and a flowing blue substance, artfully arranged around a multi-layered circular mechanism, reminiscent of a sophisticated data processing unit or a core blockchain component

Analysis

The core system compromised was the New Gold Protocol’s internal token pricing mechanism, which determined the NGP token price by scanning its reserves in the DEX’s liquidity pool. The attacker initiated the exploit by accumulating a high volume of assets through flash loans across different accounts. This enabled them to execute a series of BUSD to NGP swaps on PancakePair, artificially inflating the NGP token’s price.

Crucially, the attacker bypassed the protocol’s integrated buying and cooldown limits by designating a “dEaD” address as the recipient, thereby circumventing intended security controls. This chain of cause and effect allowed the attacker to then sell the inflated NGP tokens, draining nearly all BUSD from the protocol’s liquidity pools, ultimately converting the stolen $1.9 million into BNB-based ETH and channeling it through Tornado Cash.

A striking composition features a brilliant blue, rough-textured object, resembling a raw mineral or crystal, positioned centrally between two vertical reflective panels. To its left, a smaller white textured sphere sits, while a larger, similar sphere is partially visible behind the blue object, all resting on a reflective, rippled surface

Parameters

  • Protocol Targeted → New Gold Protocol
  • Attack Vector → Flash Loan, Price Oracle Manipulation
  • Financial Impact → ~$1.9 Million
  • BlockchainBNB Chain
  • Vulnerability → Flawed Internal Pricing Oracle, Limit Bypass
  • Funds Destination → Tornado Cash

A detailed sphere, resembling the moon with visible craters and textures, is suspended above and between a series of parallel and intersecting metallic and translucent blue rails. These structural elements create a dynamic, abstract pathway system against a muted grey background

Outlook

In the immediate aftermath, users should exercise extreme caution with nascent DeFi protocols, especially those making “DeFi 3.0” claims without transparent, verifiable security audits. This incident will likely establish new best practices emphasizing the critical need for robust, decentralized external price oracles and comprehensive pre-launch security audits that specifically address economic attack vectors. The contagion risk extends to similar protocols that rely on internal, easily manipulated pricing mechanisms, necessitating a systemic review of smart contract logic and a shift towards more resilient oracle solutions across the ecosystem.

The image showcases a metallic, lens-shaped core object centrally positioned, enveloped by an intricate, glowing white network of interconnected lines and dots. This mesh structure interacts with a fluid, crystalline blue substance that appears to emanate from or surround the core, all set against a gradient grey-blue background

Verdict

This incident underscores the critical necessity for comprehensive security audits and robust oracle mechanisms to safeguard nascent DeFi protocols against sophisticated economic exploits.

Signal Acquired from → crypto.news

Micro Crypto News Feeds

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security audits

Definition ∞ Security audits are systematic examinations of a system, application, or smart contract to identify vulnerabilities and weaknesses.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

Tags:

Tags: