Security

New Gold Protocol Suffers $2m Flash Loan Oracle Manipulation

A flawed pricing oracle, susceptible to flash loan manipulation, enabled an attacker to drain nearly $2 million from a newly launched DeFi protocol.
September 20, 20253 min

A sleek, white, abstract ring-like mechanism is centrally depicted, actively expelling a dense, flowing cluster of blue, faceted geometric shapes. These shapes vary in size and deepness of blue, appearing to emanate from the core of the white structure against a soft, light grey backdrop
A sleek, futuristic white and metallic cylindrical apparatus rests partially submerged in dark blue water. From its open end, a significant volume of white, granular substance and vibrant blue particles ejects, creating turbulent ripples

Briefing

The New Gold Protocol, an AI-driven DeFi 3.0 staking platform on BNB Chain, was exploited for approximately $1.9 million just hours after its launch on September 18, 2025. The attack leveraged a flash loan to manipulate the protocol’s internal pricing oracle, leading to the unauthorized minting and subsequent draining of BUSD tokens. This incident highlights severe vulnerabilities in the protocol’s design, resulting in an 88% plummet in the NGP token price and significant financial loss for early participants.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface rooted in price oracle manipulation and flash loan vulnerabilities. Many protocols, especially those newly launched, often exhibit a lack of standardized mechanisms for behavior pricing, rendering them susceptible to economic exploits. The ability to borrow vast amounts of capital without collateral via flash loans provides threat actors with the means to execute sophisticated price manipulation attacks, a known class of vulnerability that has historically resulted in millions in losses across various platforms.

A prominent, cratered lunar sphere, accompanied by a smaller moonlet, rests among vibrant blue crystalline shards, all contained within a sleek, open metallic ring structure. This intricate arrangement is set upon a pristine white, undulating terrain, with a reflective metallic orb partially visible on the left

Analysis

The core system compromised was the New Gold Protocol’s internal token pricing mechanism, which determined the NGP token price by scanning its reserves in the DEX’s liquidity pool. The attacker initiated the exploit by accumulating a high volume of assets through flash loans across different accounts. This enabled them to execute a series of BUSD to NGP swaps on PancakePair, artificially inflating the NGP token’s price.

Crucially, the attacker bypassed the protocol’s integrated buying and cooldown limits by designating a “dEaD” address as the recipient, thereby circumventing intended security controls. This chain of cause and effect allowed the attacker to then sell the inflated NGP tokens, draining nearly all BUSD from the protocol’s liquidity pools, ultimately converting the stolen $1.9 million into BNB-based ETH and channeling it through Tornado Cash.

The image displays a collection of crystalline and spherical objects arranged on a textured blue landmass, partially submerged in calm, reflective water. A large, frosted blue crystal dominates the left, accompanied by a smooth white sphere and smaller blue and white crystalline forms

Parameters

  • Protocol Targeted → New Gold Protocol
  • Attack Vector → Flash Loan, Price Oracle Manipulation
  • Financial Impact → ~$1.9 Million
  • BlockchainBNB Chain
  • Vulnerability → Flawed Internal Pricing Oracle, Limit Bypass
  • Funds Destination → Tornado Cash

A sophisticated metallic blue device is depicted, partially open to reveal its intricate internal workings. Finely detailed silver mechanisms, gears, and white fiber-optic-like connections are visible within its structure, with a distinctive light blue, bubbly, foam-like substance emanating from one end

Outlook

In the immediate aftermath, users should exercise extreme caution with nascent DeFi protocols, especially those making “DeFi 3.0” claims without transparent, verifiable security audits. This incident will likely establish new best practices emphasizing the critical need for robust, decentralized external price oracles and comprehensive pre-launch security audits that specifically address economic attack vectors. The contagion risk extends to similar protocols that rely on internal, easily manipulated pricing mechanisms, necessitating a systemic review of smart contract logic and a shift towards more resilient oracle solutions across the ecosystem.

A detailed view presents a sophisticated array of blue and metallic silver modular components, intricately assembled with transparent elements and glowing blue internal conduits. A central, effervescent spherical cluster of particles is prominently featured, appearing to be generated from or integrated into a clear channel

Verdict

This incident underscores the critical necessity for comprehensive security audits and robust oracle mechanisms to safeguard nascent DeFi protocols against sophisticated economic exploits.

Signal Acquired from → crypto.news

Micro Crypto News Feeds

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security audits

Definition ∞ Security audits are systematic examinations of a system, application, or smart contract to identify vulnerabilities and weaknesses.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

Tags:

Tags: