AI-driven, self-described “DeFi 3.0” staking protocol The New Gold Protocol, constructed “with sustainability at its core,” was hacked hours after launch. The hacking passed off on Sept. 18, 2025. The hacker exploited two flaws within the design of NGP. The case demonstrates how negligence in protocol design could doom a undertaking from day one.
Abstract
- Practically $2 million in crypto was stolen from the just-launched New Gold Protocol platform through a flash mortgage assault.
- Stolen cash was despatched to Twister Money. The hacker is just not recognized.
- The crew behind the New Gold Protocol retains silent.
- The largest flash mortgage assaults resulted in over $100 million in losses.
What’s New Gold Protocol?
The New Gold Protocol is a staking protocol constructed on high of the BNB blockchain and launched on Sept. 18.
One of many issues that The New Gold Protocol aimns to resolve is the “lack of pricing guidelines.” Based on the whitepaper, many DeFi protocols “lack standardized mechanisms for conduct pricing, leading to volatility and dysfunction.”
The “next-generation DeFi 3.0” New Gold Protocol was meant to outperform opponents that shouldn’t have intrinsic earnings and whose governance fashions are inefficient. The NGP crew noticed the way in which to attain transparency, equity, and sustainability via AI optimization.
The New Gold Protocol was striving to create an inclusive staking platform with a clear, automated atmosphere sustained through good contracts. On account of token burns, NGP promoted its native token as deflationary. It promised real-yield distributions as an alternative of inflationary and speculative incentives. The NGP whitepaper steered that transparency ensures accountability. Nevertheless, it turned out that this was not sufficient.
How was NGP hacked?
The hacking passed off shortly after the launch of the NGP token. The quantity of NGP tokens that might be purchased was restricted to forestall price-inflation assaults, however the hacker discovered a option to bypass it.
Based on analysts from blockchain safety firm Hacken, six hours earlier than the assault the hacker accrued a excessive variety of belongings through flash loans utilizing totally different accounts. Flash loans are a characteristic in style on DeFi platforms. They permit borrowing crypto belongings shortly with out collateral. Borrowed funds could also be used for arbitrage buying and selling, stealing funds from a protocol, or value manipulation. As Hacken notes, the injury brought about via flash mortgage assaults could quantity to thousands and thousands of {dollars}.
The attacker used an oracle-manipulation tactic. The protocol decided the NGP token value by scanning its reserves within the DEX’s liquidity pool, which allowed the attacker to control the value. The attacker started swapping BUSD to NGP on PancakePair, which pumped NGP’s value shortly.
The New Gold Protocol contained two limits: a shopping for restrict and a cooldown restrict for consumers. Each had been bypassed because the attacker used the “dEaD” deal with because the recipient.
The following transfer was draining almost all of the BUSD tokens from the protocol through promoting NGP. It left The New Gold Protocol with virtually no funds. The attacker then gained $1.9 million price of crypto and instantly swapped the funds to BNB-based ETH.
Based on the Hacken crew, the next actions included depositing stolen funds to Twister Money via Ethereum bridged with Throughout. The motion despatched the NGP value up whereas leaving the protocol with solely a small quantity of funds. Quickly, the NGP token value plummeted 88%.
Sadly, regardless of bold plans to reshape the DeFi sector and construct a sustainable product, The New Gold Protocol uncared for its personal safety and confronted extreme injury. The corporate didn’t touch upon the difficulty. The most recent tweet reads “stability meets development.” It was revealed a number of hours earlier than the assault and now appears like a bitter joke.
Different flash mortgage assaults
As quickly as flash loans had been launched, flash mortgage assaults shortly turned one of many ways utilized by criminals.
The largest assault passed off in March 2023. The hacker managed to steal round $197 million in Wrapped Bitcoin, Wrapped Ethereum, and different belongings from the Euler Finance protocol. The hacker was utilizing an error within the platform’s calculation fee. The funds had been despatched to an deal with used earlier by the infamous DPRK hackers, the Lazarus Group. What made this case particularly notable is that the hacker voluntarily returned all of the funds and apologized.
Different notable examples embrace the Cream Finance hack ($130 million stolen in 2021) and Polter ($12 million stolen in 2024). A flash mortgage was a part of the scheme utilized in 2025 to wipe out $223 million in crypto from the Cetus protocol primarily based on Sui.
