• The New Gold Protocol was hacked just 6 hours after launch due to flaws in its design and pricing system.
• The attacker used flash loans and bypassed token limits to steal $1.9 million from the protocol.
• The price of the NGP token crashed by 88% after the exploit drained almost all funds from the platform.

The New Gold Protocol (NGP), a staking platform built on the BNB blockchain, was hacked just hours after its launch on September 18, 2025. Marketed as an AI-optimized DeFi 3.0 protocol, NGP aimed to bring transparency and sustainability to decentralized finance. However, two major design flaws were exploited, allowing a hacker to drain nearly all its funds.

Security firm Hacken confirmed that the attack was carefully prepared. Six hours before the breach, the attacker gathered assets through flash loans. These loans, commonly used in DeFi, do not require collateral and are often used for high-speed arbitrage or exploitation. In this case, the attacker used them to manipulate NGP’s price.

Price Manipulation and Exploit Tactics

NGP’s token price was determined by scanning the reserves in a DEX liquidity pool. The hacker used this mechanism to their advantage. By swapping BUSD to NGP on PancakePair, they inflated the token price rapidly. This artificial price increase allowed them to convert a large quantity of NGP at a high value.

The protocol included restrictions to prevent such attacks. It had a token buying limit and a cooldown period. Both limits were bypassed using a technical trick. The attacker used the “dEaD” address as the recipient. This method allowed them to evade the buying restrictions.

Funds Drained and Laundered

Once the price was artificially boosted, the hacker began selling large amounts of NGP. This action drained nearly all of the BUSD from the protocol. Analysts estimate the attacker stole about $1.9 million in crypto. After the drain, the hacker converted the funds to BNB-based ETH.

The stolen funds were then transferred to Ethereum. They were routed through Tornado Cash using the Across bridge. Similarly, the hacker behind the Euler Finance attack returned 100 $ETH to a victim but moved the other funds into Tornado Cash. This made the stolen assets harder to trace. While the NGP price spiked during the manipulation, it later dropped 88% once the attack concluded.

Design Flaws and Lack of Oversight

NGP aimed to improve on existing DeFi models by offering deflationary tokens, fair governance, and real-yield rewards. Its whitepaper highlighted transparency and sustainability. However, the design overlooked key security practices.

By failing to safeguard its pricing system and user limits, the protocol exposed itself. The attacker took advantage of these gaps quickly. Despite its promises, NGP could not prevent a loss of funds and trust.

The team behind NGP has not issued a statement. Their last social media update occurred just before the attack.