On September 17, 2024, the NewGold Protocol (NGP), a DeFi project on the BNB Chain, suffered a devastating exploit that drained nearly $2 million in user funds. Despite branding itself as a “DeFi 3.0” project with security as a core principle, flaws in its design left the protocol vulnerable to manipulation.
The attack caused an 88% crash in NGP’s token price, exposing how fragile liquidity pools and weak oracles can make even promising projects collapse overnight.
How the Exploit Happened?
The attacker began by acquiring NGP tokens across multiple wallets, using funds sourced through Tornado Cash for anonymity. They then leveraged flash loans from PancakeSwap and other protocols to manipulate liquidity pools.
A key vulnerability lay in NGP’s whitelisted dead wallet mechanism, which allowed the attacker to bypass buying limits. Another critical flaw was in the fee and transfer logic: instead of deducting sales fees directly from the user’s balance, the protocol subtracted tokens from the liquidity pool. When combined with flash loan manipulation, this drained the pool entirely.
By cycling through these steps and repaying all borrowed assets, the attacker secured around $2M in profit, leaving NGP’s pools empty.
Root Causes
Weak Price Oracle — NGP relied solely on PancakeSwap reserves for pricing. With no integration of external oracles like Chainlink, prices were easy to manipulate during flash loans.
Faulty Fee Mechanism — The 35% sales fee was applied in a way that damaged liquidity rather than protecting it. This design error opened the door to large-scale draining attacks.
Wanna know more?
We’ve covered the full breakdown of this exploit in our detailed blog: New Gold Protocol Suffers $2M Flash Loan Breach
Aftermath
The stolen funds were quickly moved through KyberSwap, bridged from BNB Chain to Ethereum via Across Protocol, and laundered through Tornado Cash, making them nearly untraceable.
Following the incident, the NGP team admitted the exploit but offered no clear recovery roadmap, compensation plan, or security fixes. With liquidity gone and trust eroded, users were left uncertain about the project’s future.
Key Takeaway
The NewGold exploit highlights how single-source oracles, poor fee design and lack of flash loan protections can destroy DeFi protocols in hours. Robust testing, multi-source oracles, and thorough smart contract audits are critical to preventing such disasters.
Top comments (0)