NewGold Protocol $2M Flash Loan Attack - Triple Vulnerability Exploit

TLDR

On September 17, 2025, NewGold Protocol (NGP) on BNB Chain suffered a devastating flash loan attack that drained approximately $2 million in user funds, causing an 88% token price crash. The attack exploited three critical vulnerabilities: a price oracle that relied solely on PancakeSwap pool reserves, a broken fee mechanism that manipulated liquidity pool balances before transfers, and a whitelisted dead address that bypassed buying restrictions. The attacker used flash loans to manipulate reserves, acquired massive amounts of NGP tokens, then triggered the faulty fee logic to drain the pool entirely. All stolen funds were laundered through Tornado Cash within hours.

Attack Overview

NewGold Protocol launched with promises of revolutionary "DeFi 3.0" features and proclaimed that "security is non-negotiable" just three days before the exploit. The protocol combined ambitious roadmaps with fundamentally broken smart contract logic, creating a perfect storm for attackers. Within hours of the September 17th attack, the NGP token crashed 88% and the protocol team went completely silent, offering no acknowledgment or response to the $2 million loss.

The attack demonstrated how combining multiple design flaws can amplify vulnerabilities exponentially. A single-source price oracle became exploitable when paired with transfer logic that modified pool balances prematurely, while the whitelisted dead address provided an unexpected bypass mechanism for buying restrictions.

Technical Analysis

The exploit leveraged three interconnected vulnerabilities in NGP's smart contract architecture. Each flaw was dangerous individually, but together they enabled a complete drainage of the liquidity pool in a single atomic transaction.

Price Oracle Manipulation

NGP's getPrice() function calculated token price using a simple ratio of USDT reserves to NGP token reserves in the PancakeSwap liquidity pool:

This spot price was then used to enforce maximum purchase limits through the maxBuyAmountInUsdt check in the _update() function:

By relying exclusively on instantaneous reserves of a single DEX pair, the contract made itself vulnerable to intra-transaction manipulation. The attacker borrowed approximately $211 million through flash loans from Morpho and Venus protocols, then dumped these funds into the NGP-USDT pool to artificially crash the NGP reserves while inflating the USDT side. This caused getPrice() to report an artificially low token price, allowing the attacker to bypass the intended buy limits and acquire far more NGP than the contract's safeguards would normally permit.

Broken Fee and Transfer Logic

The second critical vulnerability existed in NGP's fee deduction and pool synchronization mechanism. When NGP tokens were sold, the contract deducted multiple fees (market, burn, treasury, and reward) totaling 35% before the seller's tokens were fully transferred to the pool:

This premature fee deduction and sync() call mutated the AMM pair's token balance before the actual user transfer completed. In normal circumstances, this might have been an oversight, but combined with the manipulated pool reserves from the flash loan attack, it created a catastrophic amplification effect. When the attacker sold their NGP holdings, the fee logic reduced the pool's NGP reserves from 477,000 tokens to just 0.035 tokens - a reduction of approximately 13.6 million times. This completely shattered the AMM's constant product invariant (x*y=k) and allowed the attacker to extract a disproportionate amount of USDT liquidity.

Whitelisted Dead Address Bypass

The third enabler was NGP's whitelist logic, which included the 0x000000000000000000000000000000000000dead address. Whitelisted addresses bypassed critical restrictions including maxBuyAmountInUsdt limits and per-account buy cooldowns. The attacker exploited this by initially swapping tokens to the dead address, accumulating large amounts of NGP across multiple accounts without triggering the safeguards. This step was essential for building up the token inventory needed to execute the subsequent pool drainage attack effectively.

Attack Execution Flow

The attacker executed the exploit in a carefully orchestrated sequence within a single transaction. First, they secured flash loans totaling $211 million in USDT from multiple DeFi lending protocols. They then swapped this massive amount into the NGP-USDT PancakeSwap pool, drastically reducing the NGP token reserves and inflating the USDT reserves. This manipulation caused getPrice() to report NGP as nearly worthless.

With the artificially low price, the attacker bypassed maxBuyAmountInUsdt restrictions and purchased massive quantities of NGP tokens. They routed some purchases through the whitelisted dead address to further circumvent buying restrictions and cooldown timers. Finally, they sold all accumulated NGP tokens back to the pool. The broken fee mechanism triggered, deducting 35% from the pool's balance and calling sync() before the transfer completed. This reduced the pool's NGP reserves to 0.035 tokens, breaking the AMM curve and allowing the attacker to drain nearly all USDT liquidity. After repaying the flash loans, the attacker walked away with approximately $2 million in profit.

Impact Assessment

The NewGold Protocol exploit resulted in direct losses of approximately $2 million, with the NGP token price crashing 88% within an hour of the attack. The exploit address was 0x0305ddd42887676ec593b39ace691b772eb3c876, and the attack transaction hash was 0xc2066e0dff1a8a042057387d7356ad7ced76ab90904baa1e0b5ecbc2434df8e1.

Beyond the immediate financial losses, the incident exposed how protocol teams can fail at the most fundamental level of smart contract security. NGP's reliance on a single DEX pool for pricing, combined with transfer logic that mutated pool state prematurely, represented security mistakes that any competent auditor would catch within minutes of review. The fact that these vulnerabilities made it to mainnet on a protocol claiming "security is non-negotiable" highlighted severe gaps in development and testing processes.

Users who had trusted NGP's ambitious roadmap and security promises found themselves holding worthless tokens with no clear path to recovery. The protocol's complete radio silence following the attack - no acknowledgment, no incident report, no recovery plan - left victims without answers or recourse.

Response and Recovery

Following the September 17th attack, NewGold Protocol's response was notable for its complete absence. The protocol's Twitter account, Telegram channel, and all official communication channels went silent. Over 24 hours after losing $2 million of user funds, NGP had not issued a single statement acknowledging the exploit. Their social media continued posting about their launch as if nothing had happened, creating a surreal disconnect between reality and their public messaging.

The stolen funds were quickly moved through a systematic laundering process: the attacker swapped stolen USDT to ETH, bridged 444 ETH from BNB Chain to Ethereum mainnet, then methodically deposited the funds into Tornado Cash's mixing pools in standard denominations (0.1 ETH, 1 ETH, 10 ETH, and 100 ETH) over approximately 10 minutes.

The protocol team offered no compensation plan, no security fixes, and no clear roadmap for recovery. With liquidity pools drained, token value collapsed, and trust completely eroded, NewGold Protocol effectively became a cautionary tale about what happens when ambitious promises meet incompetent execution. The incident serves as a stark reminder that in DeFi, code quality and security practices matter far more than marketing claims and grandiose roadmaps.