New Gold Protocol (NGP) $1.9M Hack Explained

New Gold Protocol (NGP) was exploited for $1.9 million on September 18, 2025, shortly after trading went live on BNB Chain. The attack instantly wiped out 88% of the token’s market value, reinforcing the critical role of comprehensive smart contract security in a successful launch.

Forensic analysis revealed the root cause to be the protocol’s reliance on DEX pair token reserves balances when calculating the price of the NGP token. This created a price oracle vulnerability that can be easily manipulated with flash loans.

Initial Breach Overview

The exploit was a classic price inflation attack that bypassed the usual safety checks. In principle, no user should have been able to buy more NGP tokens above a set threshold.

Our investigation into the NGP smart contract shows that certain whitelisted addresses could receive NGP tokens above that limit:

• The NGP token address
• The mintAddress
• A dead (zero) address

NGP Hack Timeline

Six hours before the exploit, the attacker purchased NGP tokens via several accounts. After receiving the flash loan, the attacker performed a two-step exploit.

They inflated the token’s price by swapping large amounts of USDT to NGP. The attacker bypassed the maximum purchase limit amount and cooldown time safety checks by using a zero (dead) address to receive the NGP tokens.

After bypassing the safety checks and manipulating the protocol’s price oracles, the attacker sold all the NGP they had purchased before the exploit for a total of 1.9M USDT.

The attacker immediately swapped the stolen funds to Binance-pegged ETH.

A series of laundering transactions followed — 443 ETH was bridged to Ethereum via Across, and then deposited to Tornado Cash to obfuscate the trail.

Attacker’s address: 0x8618314270528e245fbbb6fba54e245bb61a8d47

Lessons Learned

The New Gold Protocol hack highlights critical lapses in threat response and mitigation that can be addressed with actionable steps.

• Conduct stress tests that simulate real attack scenarios before going live.
• Independent security audits: Audit smart contracts from multiple independent third parties to ensure that no potential vulnerabilities are left exposed.
• Use battle-tested price oracles: Avoid relying on DEX reserves alone. Reliable price feed providers can make it harder for attackers to “trick” your smart contract.
• Strengthen your resilience against on-chain exploits with automated controls – like geo-blocks, transfer limits, and wallet flagging – triggered by anomalous activity. Platforms like Extractor help implement these safeguards and protect assets in real time.