Flash Loans Expose DeFi’s致命 Weakness Again

Generated by AI AgentCoin World
Thursday, Sep 18, 2025 11:20 am ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
BNB
--
TORN
--
ETH
--
UNI
--
USDT
--
SUI
--
Aime RobotAime Summary

- New Gold Protocol (NGP) suffered a $2M DeFi exploit via a smart contract vulnerability in its `getPrice()` function.

- Attackers used flash loans to manipulate Uniswap V2 pool reserves, triggering a discounted token purchase and liquidity drain.

- Stolen funds were laundered through Tornado Cash, causing NGP's token price to drop 88% with no recovery plan announced.

- The incident highlights risks of single-source price feeds and underscores industry calls for multi-source data and rigorous audits.

- NGP's breach joins 2025's DeFi exploits, emphasizing the sector's ongoing struggle to balance innovation with security.

New Gold Protocol (NGP), a decentralized finance (DeFi) project operating on the

BNB
Chain, became the victim of a major exploit on Wednesday, resulting in a $2 million loss. The incident involved the draining of liquidity from the protocol’s pools, with stolen assets funneled through Tornado Cash, a privacy-focused
Ethereum
mixer. This marked one of the latest in a series of high-profile DeFi exploits, highlighting the persistent vulnerabilities within the sector.

According to Blockaid, a Web3 security firm, the breach stemmed from a flaw in NGP’s smart contract, specifically the `getPrice()` function. This function calculated the value of NGP tokens based solely on the reserves in its

Uniswap
V2 pool. The design left the protocol exposed to manipulation, as an attacker could exploit a flash loan to temporarily inflate the
USDT
reserve while draining NGP tokens. This manipulation tricked the system into displaying a much lower token price than its actual value, allowing the attacker to bypass transaction limits and purchase a large quantity of NGP tokens at a discounted rate.

After the exploit, the attacker swapped the stolen NGP tokens for Ethereum and routed the proceeds through Tornado Cash. This move effectively erased the trail of the stolen funds, making recovery nearly impossible. As a result, NGP’s token price plummeted by 88% within hours. The incident left investors reeling and raised concerns about the project’s transparency and accountability, as NGP has yet to announce any recovery or compensation plan for affected users.

The attack also reinforced long-standing warnings about the risks of relying on a single data source for price feeds in DeFi protocols. Blockaid emphasized that using a single decentralized exchange (DEX) pool for price data creates a significant security vulnerability. Hackers can exploit flash loans to manipulate pool reserves within a single transaction, bypassing standard safeguards. The exploit demonstrated how flash loans continue to be a key tool in sophisticated DeFi attacks, enabling attackers to execute complex manipulations in near real-time.

The incident adds to a growing list of DeFi exploits in 2025, underscoring the need for stronger security practices within the industry. Experts recommend that DeFi projects adopt multi-source price feeds, conduct regular smart contract audits, and implement robust transaction limits to mitigate such risks. The NGP exploit also drew comparisons with the recent $2.6 million hack of the Nemo Protocol on the

Sui
network, which similarly involved unaudited code and a public flash loan function. These events highlight the urgent need for improved security standards and more rigorous code validation processes.

In the broader context, the NGP exploit reflects the ongoing challenges faced by the DeFi ecosystem as it seeks to balance innovation with security. While DeFi platforms offer new financial opportunities, they remain vulnerable to attacks that exploit smart contract weaknesses and insufficient due diligence. As investors and developers continue to push the boundaries of blockchain finance, incidents like the NGP exploit serve as a stark reminder of the importance of proactive risk management and transparency.