Well, here we go again. Another day, another DeFi hack. This time it’s the New Gold Protocol, or NGP, that’s taken a hit. The platform, which runs on the BNB Chain, apparently lost around $2 million in an attack that happened on Wednesday. The target was its liquidity pool, which is basically the heart of these decentralized exchanges. It’s a significant blow, for sure.
How the NGP Attack Unfolded
According to the web3 security group Blockaid, the whole thing was a case of price oracle manipulation. That might sound complex, but it boils down to tricking the system that determines a token’s value. The attacker went after the “getPrice” function in NGP’s smart contract. This function was designed to check the token’s price by looking directly at the reserves in a Uniswap V2 pool.
But here’s the problem with that approach. As Blockaid pointed out, getting a price from a single pool like that isn’t really secure. It’s kind of like trusting a single, easily influenced source for important news. An attacker can come in with a flash loan—a huge, temporary, uncollateralized loan—and massively skew those pool reserves in an instant.
The Mechanics of the Exploit
And that’s exactly what happened. The attacker used a flash loan to execute a huge swap. This maneuver artificially inflated the pool’s USDT reserves while drastically shrinking the amount of NGP tokens in it. This manipulation made the price oracle spit out a value for NGP that was far lower than it should have been.
This artificially low price was the key. It allowed the attacker to bypass the contract’s built-in transaction limits. With those safeguards effectively broken, they were able to swoop in and buy a massive amount of NGP tokens for a fraction of their actual worth. It was a classic, if devastatingly effective, move.
The Aftermath and a Troubling Trend
The fallout was pretty immediate. On-chain analysts at PeckShield reported that the stolen funds were quickly routed through Tornado Cash, a cryptocurrency mixer often used to obscure the trail of funds. Unsurprisingly, the value of the NGP token itself cratered, dropping a staggering 88% in the wake of the news.
This isn’t some isolated incident, though. It feels like we’re seeing this story on repeat. Just last week, the Sui-based Nemo Protocol suffered an almost identical fate, losing $2.6 million. The bigger picture is even more concerning. Data from Chainalysis suggests that over $2 billion was stolen from crypto services just in the first half of 2025. That number is actually up from previous years, which is a worrying sign that security might be losing the battle.
It makes you wonder, perhaps, if the race to build new things is sometimes outpacing the need to make them truly secure from the ground up.
This is not investment advice.
