BNB Chain’s New Gold Protocol Suffers $2M Hack on Launch Day
The New Gold Protocol, an AI-driven staking platform branded as “DeFi 3.0,” experienced a hack just hours after its launch on September 18, 2025. The hacker took advantage of two critical design flaws in the protocol, highlighting the detrimental impact of negligence in protocol development from the outset.
Summary
- Approximately $2 million in cryptocurrency was stolen from the newly launched New Gold Protocol via a flash loan attack.
- The stolen funds were transferred to Tornado Cash, and the hacker remains unidentified.
- The New Gold Protocol team has yet to release a statement.
- Major flash loan attacks have previously resulted in losses exceeding $100 million.
What is the New Gold Protocol?
The New Gold Protocol is a staking solution built on the BNB blockchain, officially launched on September 18.
One of the issues it aims to tackle is the “lack of pricing rules,” as cited in its whitepaper, which claims that many DeFi protocols “lack standardized mechanisms for behavior pricing, leading to volatility and chaos.”
This “next-generation DeFi 3.0” platform sought to outshine competitors without intrinsic earnings and inefficient governance models. The NGP team believed that they could achieve principles of transparency, fairness, and sustainability through AI optimization.
The New Gold Protocol aspired to establish an inclusive staking platform within a transparent, automated framework supported by smart contracts. Through token burns, NGP promoted its native token as a deflationary asset, offering genuine yield distributions rather than merely inflationary or speculative incentives. Despite asserting that transparency would ensure accountability, it became evident that these measures were insufficient.
How was NGP hacked?
The attack occurred shortly after the NGP token was launched. To prevent price-inflation attacks, the number of NGP tokens available for purchase was capped, but the hacker found a way to circumvent this limitation.
According to analysts from the blockchain security firm Hacken, the hacker amassed a large amount of assets via flash loans in various accounts just six hours prior to the attack. Flash loans, a popular feature in DeFi platforms, allow for instant, collateral-free borrowing of crypto assets. These borrowed funds may be utilized for arbitrage trading, stealing from protocols, or manipulating prices. Hacken emphasizes that the damage from flash loan attacks can total millions of dollars.
The attacker employed an oracle manipulation strategy. The protocol determined the NGP token price by examining its reserves within the DEX’s liquidity pool, which allowed the hacker to manipulate that price. The attacker initiated swaps from BUSD to NGP on PancakePair, causing a rapid increase in NGP’s price.
NGP had two key limits: a buying cap and a cooldown period for buyers. However, these were circumvented as the attacker used a “dEaD” address for the transaction.
The attacker then proceeded to drain nearly all BUSD tokens from the protocol by selling NGP, leaving The New Gold Protocol with almost no resources. Ultimately, the attacker acquired $1.9 million worth of crypto and swiftly converted it to BNB-based ETH.
Following this, according to the Hacken team, the stolen funds were deposited into Tornado Cash through an Ethereum bridge across the network. This action caused a spike in NGP’s price while leaving the protocol with only minimal remaining funds. Soon after, the NGP token price plummeted by 88%.
Despite its ambitious vision of transforming the DeFi landscape and developing a sustainable solution, The New Gold Protocol neglected its security protocols and suffered extensive damage. The company has not issued any comments regarding the incident. Their latest tweet, stating “stability meets growth,” was published just hours before the attack and now appears to be a cruel irony.
Other flash loan attacks
Flash loan attacks swiftly emerged as a tactic among criminals following the introduction of flash loans.
The most significant attack occurred in March 2023, where a hacker successfully stole approximately $197 million in Wrapped Bitcoin, Wrapped Ethereum, and other assets from the Euler Finance protocol, exploiting an error in the platform’s calculation rate. Interestingly, the hacker later returned all the stolen funds and issued an apology.
Other noteworthy incidents include the Cream Finance hack, which resulted in $130 million stolen in 2021, and the Polter hack in 2024, which saw thefts of $12 million. Additionally, a flash loan scheme was involved in the 2025 attack that extracted $223 million in crypto from the Cetus protocol based on Sui.