New Gold Protocol Loses $2 Million in Flash Loan Attack
New Gold Protocol (NGP), a DeFi project on the BNB Chain, suffered a $2 million exploit on Wednesday. The attacker drained assets from NGP’s liquidity pool. They then moved the stolen funds through Tornado Cash, making them hard to trace.
How the Exploit Happened
Web3 security firm Blockaid said the attacker targeted a vulnerability in NGP’s getPrice() function. This function calculates NGP token prices by checking reserves in its Uniswap V2 pool.
Blockaid explained that relying on a single decentralized exchange (DEX) pool made the protocol vulnerable. “A spot price from a single DEX pool is insecure because an attacker can easily and dramatically manipulate the pool’s reserves within a single atomic transaction using a flash loan,” the firm said.
The attacker used a flash loan to borrow a large number of tokens temporarily. They then swapped tokens to manipulate the mainPair pool. This increased the USDT reserve and drained NGP tokens. As a result, the getPrice() function showed a much lower token value than the real price.
With the manipulated price, the attacker bypassed transaction limits. They bought a large amount of NGP tokens at a cheap, false price.
Aftermath and Impact
After draining the tokens, the attacker swapped them into Ethereum. They sent the funds through Tornado Cash, an Ethereum mixer linked to hacks. This made tracking the stolen money nearly impossible.
The hack caused NGP’s token price to crash within hours. Investors were unsettled. NGP has not announced any recovery or compensation plans.
Lessons for DeFi Security
The NGP hack highlights the risks of relying on a single price source. Flash loans remain a common tool for attackers. Experts advise using multiple price feeds, regular audits, and stronger contract protections.
This $2 million loss adds to many DeFi hacks this year. For example, on September 7, 2025, Nemo Protocol on Sui lost $2.6 million. That hack was caused by unaudited code and exploited flash loan functions.
Security remains a major challenge for DeFi projects and investors alike.
