New Gold Protocol Drained of $1.9 Million in Price Oracle Flash Loan Attack on BNB Chain

The New Gold Protocol (NGP) suffered a devastating exploit on September 18, 2025, losing approximately $1.9 million in a flash loan-powered price oracle manipulation attack on BNB Chain. The incident wiped out 88% of the token’s market value within minutes, underscoring the persistent risks that poorly audited smart contracts pose to the broader cryptocurrency ecosystem. As Bitcoin traded at $117,137 and Ethereum at $4,589 on the day of the attack, the NGP exploit served as a stark reminder that even as the market reaches new heights, protocol-level vulnerabilities remain a critical threat vector.

The Exploit Mechanics

The attacker executed a sophisticated two-step price inflation attack that exploited a fundamental flaw in NGP’s pricing mechanism. The protocol relied on DEX pair token reserve balances to calculate the NGP token price, creating an oracle vulnerability that was trivially exploitable through flash loans.

Six hours before the main exploit, the attacker purchased NGP tokens through several preliminary accounts at normal market prices. Once the flash loan was secured, the attacker swapped large amounts of USDT for NGP on the DEX pair, artificially inflating the token’s apparent price. This price manipulation bypassed the protocol’s maximum purchase limit and cooldown safety checks by directing the resulting NGP tokens to a zero (dead) address — a whitelisted address that was not subject to the same restrictions as regular user wallets.

With the price artificially inflated and safety checks circumvented, the attacker sold all previously accumulated NGP tokens at the manipulated price, extracting approximately $1.9 million in USDT from the protocol’s liquidity pools. The entire sequence was executed within a single transaction block, leaving no time for intervention.

Affected Systems

The attack targeted the New Gold Protocol’s core smart contract on BNB Chain. The whitelisted addresses that were exploited included the NGP token address itself, the mintAddress, and a dead (zero) address. The protocol had only recently gone live for trading on BNB Chain, meaning it was still in its early launch phase when the vulnerability was exploited.

The forensic analysis, conducted by Hacken’s security team, revealed that the attacker’s address (0x8618314270528e245fbbb6fba54e245bb61a8d47) immediately converted the stolen 1.9 million USDT into Binance-pegged ETH. From there, 443 ETH was bridged to the Ethereum mainnet via the Across protocol and subsequently deposited into Tornado Cash to obfuscate the transaction trail — a pattern consistent with sophisticated DeFi exploitation and laundering operations.

The Mitigation Strategy

The root cause of the exploit was the protocol’s dependence on DEX reserve balances for price discovery, a well-known vulnerability class in DeFi. Mitigating such attacks requires multiple layers of defense. First, protocols must implement battle-tested price oracles such as Chainlink or Pyth Network, which aggregate prices from multiple independent sources and are resistant to single-source manipulation. Second, access control lists — particularly whitelisted addresses — must be audited rigorously to prevent dead or administrative addresses from being used as bypass vectors.

Stress testing that simulates real-world attack scenarios, including flash loan-based price manipulation, should be mandatory before any protocol goes live. Independent third-party security audits from multiple firms provide overlapping coverage and increase the likelihood of catching edge-case vulnerabilities that a single auditor might miss.

Lessons Learned

The NGP hack reinforces several critical lessons for the crypto community. Price oracle manipulation remains one of the most common and costly attack vectors in DeFi, with losses from oracle-related exploits exceeding hundreds of millions of dollars across the industry. Protocols that rely on DEX reserve balances or single-source pricing mechanisms are fundamentally vulnerable to flash loan attacks, which can be executed with zero upfront capital.

The speed of the attack — from initial positioning to fund extraction — demonstrates that once a vulnerability is identified by malicious actors, the window for response is measured in seconds, not minutes or hours. This reality underscores the importance of proactive security measures over reactive incident response.

User Action Required

Users who held NGP tokens at the time of the exploit should monitor the protocol’s official channels for updates on any compensation or recovery plans. Given that the stolen funds were laundered through Tornado Cash, the likelihood of recovery is low. All DeFi users should verify that the protocols they interact with use audited, manipulation-resistant price oracles and have undergone multiple independent security reviews. When a new protocol launches, particularly one with novel tokenomics, exercising caution and limiting exposure during the initial trading period is a prudent risk management strategy.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before interacting with any cryptocurrency protocol.