New Gold Protocol (NGP), a decentralized finance (DeFi) initiative constructed on the BNB Chain, has been exploited for around $2 million.
The breach, which was confirmed by Web3 security enterprise Blockaid, targeted NGP’s liquidity pool for the project’s native token through a flaw in the protocol’s smart contract.
The flaw stemmed from the protocol’s price oracle and a bit of code in its getPrice() function that draws liquidity from a Uniswap V2 trading pair.
Simply having a single pool made NGP vulnerable to price manipulation, allowing the perpetrator to circumvent safety measures to empty the liquidity pool.
Flash Loan Attack Impacts Price Oracle
According to research conducted by Blockaid, the attacker used a flash loan, which means they borrowed a large sum of tokens for a single transaction and then paid them back.
The hacker reportedly used the tokens to manipulate NGP’s primary liquidity pool by swapping assets and artificially raising the USDT reserve while lowering the NGP reserve.
As a result, it resulted in the oracle’s getPrice() function returning a manipulated low token price.
The attacker exploited this low price and circumvented NGP’s transaction limits to acquire and liquidate vast quantities of NGP at several times the low manipulated price.
This circumstance highlights the risks associated with using insecure price feeds and relying on a single decentralized exchange pool.
Also Read: CrediX Team Disappears After $4.5M Crypto Hack and Acclaimed Funds Recovery
Stolen Funds Laundered Via Tornado Cash
Following the hacking event, a blockchain security expert from PeckShield stated that the funds that were stolen were later funneled through Tornado Cash – a well-known cryptocurrency mixer that is designed to obfuscate transactions.
This is a common laundering method that inhibits the ability to track down and reclaim the assets after a theft has occurred.
Meanwhile, directly afterwards, the NGP token crashed by 88%, sending holders into panic mode, and raising fears of the project being viable again.
This rapid sell-off illustrated the extent to which investor confidence can be so fragile in DeFi protocols, particularly when things do not have some reasonable contract protection or rigorous auditing is not conducted.
Also Read: Decentralized Finance Protocol CrediX Has Suffered a $4.5 Million Crypto Hack
DeFi Exploits Continue to Threaten the Industry
The NGP exploit is part of a disturbing trend of high-value DeFi exploits in 2025. Last week, the yield-trading platform built on Sui called Nemo Protocol lost $2.6 million over vulnerabilities exploited through unaudited smart contracts.
Similarly, we reported that after siphoning off $32 million in AIO tokens, Olaxbt suffered a $2 million hack on September 1st when hackers drained multisig wallets.
On September 8th, Kinto suspended its operations following a hack of $1.55 million, which resulted in its $K token price crashing by more than 80%, according to UnoCrypto.
Chainalysis attributes over $2 billion taken from crypto platforms in the first half of 2025. This is by far the most reported for any half-year period in the previous years included.
These events reflect a pattern of increasing sophistication among attackers and a call for better security practices, third-party audits, and resilient protocol designs in the DeFi community.
Also Read: Chinese Mining Pool Lubian Loses $3.5 Billion Amid Unnoticed Crypto Hack Four Years Ago, Here’s All