DeFi's Oracle Weakness Exposed in $2M NGP Heist

Generated by AI AgentCoin World
Friday, Sep 19, 2025 1:41 am ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
BNB
--
TORN
--
UNI
--
USDT
--
SUI
--
Aime RobotAime Summary

- $2M stolen via Tornado Cash after exploiting NGP’s smart contract vulnerability in BNB Chain DeFi protocol.

- Attacker manipulated Uniswap V2 pool reserves using flash loans to artificially lower NGP token prices and bypass transaction limits.

- Token price dropped 88% post-attack, exposing risks of single-source oracle dependencies in DeFi protocols.

- Experts urge multi-source price feeds and audits as 2025 sees rising DeFi exploits, including $2.6M Nemo Protocol breach.

A $2 million exploit targeting the

New Gold
Protocol (NGP), a decentralized finance (DeFi) project on the
BNB
Chain, was confirmed earlier this week, with the stolen assets routed through Tornado Cash to obscure the transaction trail. The attack was executed by exploiting a vulnerability in NGP’s smart contract, specifically the getPrice() function, which calculates the price of NGP tokens based on
Uniswap
V2 pool reserves. According to Web3 security firm Blockaid, this single-point dependency on a decentralized exchange (DEX) for price data made the protocol vulnerable to manipulation through flash loans.

The exploit began when the attacker initiated a flash loan to temporarily borrow a large number of tokens and execute a swap that altered the

USDT
reserve in the mainPair pool while draining NGP tokens. This manipulation caused the getPrice() function to display a significantly lower value for NGP tokens, enabling the attacker to bypass transaction limits and purchase a large volume of tokens at an artificially reduced price. After the tokens were drained, they were quickly swapped into Ethereum and pushed through Tornado Cash, a mixer known for its use in obfuscating the origins of illicit funds.

Following the incident, NGP’s token price plummeted by nearly 88% within hours, triggering panic among investors and highlighting the fragility of DeFi protocols that rely on a single data source for pricing. The stolen assets were effectively untraceable after passing through Tornado Cash, leaving the protocol with little to no chance of recovering the funds. The DeFi community is now on high alert, as similar attacks have continued to occur in 2025, including a $2.6 million exploit against Nemo Protocol on Sui. These incidents underscore the ongoing risks associated with flash loans and the necessity for protocols to implement multi-source price feeds and undergo regular security audits.

Industry experts emphasize that the NGP exploit is a stark reminder of the dangers posed by single-source

oracle
dependencies in DeFi projects. Flash loans remain a potent tool for attackers due to their ability to borrow large sums within a single transaction. As a result, DeFi platforms are urged to adopt more robust security measures, including the use of trusted oracle services and multi-layered verification systems to prevent such exploits. The incident also highlights the broader challenges facing the DeFi ecosystem in 2025, as Chainalysis reported that over $2 billion in cryptocurrency had been stolen through similar attacks in the first half of the year.

The NGP hack adds to a growing list of high-profile DeFi breaches, reinforcing the need for improved security standards and governance practices within the industry. With the rise of mixer services like Tornado Cash and the increasing sophistication of exploits, the path to recovery for affected protocols often remains uncertain. As the DeFi space continues to evolve, stakeholders must prioritize security, transparency, and user protection to build long-term trust and sustainability in the sector.