New Gold Protocol was hacked for 2 million USD due to an oracle vulnerability on BNB Chain

The DeFi platform New Gold Protocol (NGP) became a victim of an attack on Wednesday, resulting in approximately 2 million USD in damages for the project. According to the onchain security company Blockaid, the hacker exploited a vulnerability in the price oracle mechanism of the NGP smart contracts.

Method of attack

• The NGP Oracle uses the getPrice() function to determine the token price, which directly references the reserves in the Uniswap V2 trading pair.
• The hacker executed a flash loan with a large number of tokens, then swapped them to significantly alter the reserve ratio in the pool:

• USDT reserves soar.
• NGP reserves decreased significantly.

• Result: getPrice() reports the price of NGP at an extremely low level. This allows hackers to bypass the contract's trading limits and purchase a large amount of NGP tokens at a low price.

Blockaid states: "Using the spot price from a single DEX pool is extremely dangerous, as hackers can manipulate reserves in an atomic transaction using a flash loan."

Consequences

• The hacker withdrew about 2 million USD from the NGP liquidity pool.
• The security company PeckShield discovered that the stolen funds had been laundered through Tornado Cash.
• The price of the NGP token then plummeted by 88%, nearly wiping out the liquidity of the project.

Context

• This is the latest incident in a series of attacks on DeFi. Just last week, the Nemo Protocol on the Sui network was also hacked for 2.6 million USD due to a flaw in the smart contracts that had not been thoroughly audited.
• According to Chainalysis, in the first half of 2025 alone, hackers stole more than 2 billion USD from crypto services, surpassing the damage of the same period in previous years.

👉 The incident highlights the security risks from single-source oracles ( and the necessity of thorough audits before deploying smart contracts.