AI-driven, self-described “DeFi 3.0” staking protocol The New Gold Protocol, constructed “with sustainability at its core,” was hacked hours after launch. The hacking happened on Sept. 18, 2025. The hacker exploited two flaws within the design of NGP. The case demonstrates how negligence in protocol design might doom a mission from day one.
Abstract
- Practically $2 million in crypto was stolen from the just-launched New Gold Protocol platform by way of a flash mortgage assault.
- Stolen cash was despatched to Twister Money. The hacker isn’t recognized.
- The group behind the New Gold Protocol retains silent.
- The largest flash mortgage assaults resulted in over $100 million in losses.
What’s New Gold Protocol?
The New Gold Protocol is a staking protocol constructed on high of the BNB blockchain and launched on Sept. 18.
One of many issues that The New Gold Protocol aimns to resolve is the “lack of pricing guidelines.” In line with the whitepaper, many DeFi protocols “lack standardized mechanisms for conduct pricing, leading to volatility and dysfunction.”
The “next-generation DeFi 3.0” New Gold Protocol was meant to outperform rivals that shouldn’t have intrinsic earnings and whose governance fashions are inefficient. The NGP group noticed the way in which to realize transparency, equity, and sustainability via AI optimization.
The New Gold Protocol was striving to create an inclusive staking platform with a clear, automated atmosphere sustained by way of sensible contracts. As a consequence of token burns, NGP promoted its native token as deflationary. It promised real-yield distributions as a substitute of inflationary and speculative incentives. The NGP whitepaper advised that transparency ensures accountability. Nonetheless, it turned out that this was not sufficient.
How was NGP hacked?
The hacking happened shortly after the launch of the NGP token. The quantity of NGP tokens that might be purchased was restricted to forestall price-inflation assaults, however the hacker discovered a option to bypass it.
In line with analysts from blockchain safety firm Hacken, six hours earlier than the assault the hacker accrued a excessive variety of belongings by way of flash loans utilizing completely different accounts. Flash loans are a characteristic standard on DeFi platforms. They permit borrowing crypto belongings rapidly with out collateral. Borrowed funds could also be used for arbitrage buying and selling, stealing funds from a protocol, or value manipulation. As Hacken notes, the injury brought on via flash mortgage assaults might quantity to hundreds of thousands of {dollars}.
The attacker used an oracle-manipulation tactic. The protocol decided the NGP token value by scanning its reserves within the DEX’s liquidity pool, which allowed the attacker to govern the worth. The attacker started swapping BUSD to NGP on PancakePair, which pumped NGP’s value rapidly.
The New Gold Protocol contained two limits: a shopping for restrict and a cooldown restrict for patrons. Each have been bypassed because the attacker used the “dEaD” tackle because the recipient.
The subsequent transfer was draining almost all of the BUSD tokens from the protocol by way of promoting NGP. It left The New Gold Protocol with virtually no funds. The attacker then gained $1.9 million price of crypto and instantly swapped the funds to BNB-based ETH.
In line with the Hacken group, the next actions included depositing stolen funds to Twister Money via Ethereum bridged with Throughout. The motion despatched the NGP value up whereas leaving the protocol with solely a small quantity of funds. Quickly, the NGP token value plummeted 88%.
Sadly, regardless of formidable plans to reshape the DeFi sector and construct a sustainable product, The New Gold Protocol uncared for its personal safety and confronted extreme injury. The corporate didn’t touch upon the difficulty. The newest tweet reads “stability meets development.” It was revealed a number of hours earlier than the assault and now seems to be like a bitter joke.
https://twitter.com/newgoldprotocol/standing/1968495188680094011
Different flash mortgage assaults
As quickly as flash loans have been launched, flash mortgage assaults rapidly grew to become one of many ways utilized by criminals.
The largest assault happened in March 2023. The hacker managed to steal round $197 million in Wrapped Bitcoin, Wrapped Ethereum, and different belongings from the Euler Finance protocol. The hacker was utilizing an error within the platform’s calculation charge. The funds have been despatched to an tackle used earlier by the infamous DPRK hackers, the Lazarus Group. What made this case particularly notable is that the hacker voluntarily returned all of the funds and apologized.
Different notable examples embrace the Cream Finance hack ($130 million stolen in 2021) and Polter ($12 million stolen in 2024). A flash mortgage was a part of the scheme utilized in 2025 to wipe out $223 million in crypto from the Cetus protocol primarily based on Sui.
