Security

New Gold Protocol Suffers $2m Price Oracle Manipulation via Flash Loan

A single-source price oracle vulnerability, exploitable by flash loans, enabled the theft of $2 million, highlighting critical systemic risk.
September 21, 20253 min

The visual presents a segmented white structural framework, akin to a robust blockchain backbone, channeling a luminous torrent of blue cubic data packets. These glowing elements appear to be actively flowing through the conduit, signifying dynamic data transmission and processing within a complex digital environment
An abstract digital rendering displays a central, radiant cluster of blue crystalline forms and dark geometric shapes, from which numerous thin black lines emanate. These lines weave through a sparse arrangement of smooth, reflective white spheres against a light grey background

Briefing

The New Gold Protocol (NGP) on the BNB Chain was exploited for approximately $2 million (443.8 ETH) on September 18, 2025, through a sophisticated price oracle manipulation attack. This incident leveraged a critical flaw in NGP’s smart contract, specifically its reliance on a single Uniswap V2 liquidity pool for token pricing, making it susceptible to flash loan-induced price distortions. The immediate consequence was an 88% crash in the NGP token’s value, with the stolen funds subsequently routed through Tornado Cash, severely complicating recovery efforts.

The image features several sophisticated metallic and black technological components partially submerged in a translucent, effervescent blue liquid. These elements include a camera-like device, a rectangular module with internal blue illumination, and a circular metallic disc, all rendered with intricate detail

Context

Prior to this incident, the DeFi ecosystem has faced persistent risks from protocols relying on insecure price oracles, a known class of vulnerability. Many projects, particularly those with lower liquidity or minimal auditing, often utilize single-source price feeds from decentralized exchanges (DEXs), creating an easily manipulable attack surface. This architectural oversight allows for rapid, temporary price manipulation within a single atomic transaction, a vector frequently exploited by sophisticated threat actors.

A high-resolution close-up showcases a futuristic, metallic lens system integrated into an organic, textured blue casing, adorned with translucent patterns and small bubbles. Ancillary metallic components and a white slotted structure are visible on the periphery, highlighting intricate design details

Analysis

The incident’s technical mechanics centered on the NGP smart contract’s getPrice() function, which determined the NGP token’s value solely from its reserves within a Uniswap V2 liquidity pool. An attacker initiated a flash loan, temporarily borrowing a substantial amount of assets without collateral. This borrowed capital was then used to execute a swap that artificially inflated the USDT reserves while draining NGP tokens from the mainPair pool, causing the getPrice() function to report a drastically deflated NGP token price. With the price oracle compromised, the attacker bypassed the contract’s transaction limits, acquired a large volume of NGP tokens at a manipulated low price, repaid the flash loan, and extracted approximately $2 million in profit.

A smooth white orb with a distinct black arc is suspended within a dynamic, multifaceted environment of sharp blue and silver geometric forms. This abstract digital realm appears to be a visual representation of advanced blockchain architecture and cryptocurrency innovation

Parameters

  • Protocol Targeted → New Gold Protocol (NGP)
  • Attack VectorPrice Oracle Manipulation via Flash Loan
  • Financial Impact → ~$2 Million (443.8 ETH)
  • Affected BlockchainBNB Chain
  • Vulnerable Component → getPrice() function relying on single Uniswap V2 pool
  • Token Impact → NGP token price plummeted 88%
  • Post-Exploit Activity → Funds routed through Tornado Cash
  • Security Firms Involved → Blockaid, PeckShield

A metallic, toroidal winding, composed of multiple polished loops, rests precisely on a circular, radial fin array. The symmetrical arrangement of both components, rendered in cool blue-grey tones, highlights their structured and interconnected nature

Outlook

To mitigate similar risks, protocols must adopt robust, multi-source price oracle solutions and undergo rigorous, independent security audits to identify and rectify such vulnerabilities. Users should exercise extreme caution with new or unaudited DeFi projects, prioritizing those with transparent security postures and decentralized governance. This exploit underscores the ongoing need for the DeFi ecosystem to evolve its security best practices, emphasizing resilience against sophisticated on-chain manipulation tactics.

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

The New Gold Protocol Exploit Serves as a Stark Reminder That Single-Point Oracle Dependencies Remain a Critical Systemic Vulnerability, Demanding Immediate Architectural Remediation across the DeFi Landscape.

Signal Acquired from → Crypto Economy

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

defi ecosystem

Definition ∞ The DeFi Ecosystem refers to the interconnected network of decentralized finance applications and protocols built on blockchain technology.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: