AI-driven, self-described “DeFi 3.0” staking protocol The New Gold Protocol, built “with sustainability at its core,” was hacked hours after launch. The hacking took place on Sept. 18, 2025. The hacker exploited two flaws in the design of NGP. The case demonstrates how negligence in protocol design may doom a project from day one.
Summary
- Nearly $2 million in crypto was stolen from the just-launched New Gold Protocol platform via a flash loan attack.
- Stolen money was sent to Tornado Cash. The hacker is not identified.
- The team behind the New Gold Protocol keeps silent.
- The biggest flash loan attacks resulted in over $100 million in losses.
What is New Gold Protocol?
The New Gold Protocol is a staking protocol built on top of the BNB blockchain and launched on Sept. 18.
One of the problems that The New Gold Protocol aimns to solve is the “lack of pricing rules.” According to the whitepaper, many DeFi protocols “lack standardized mechanisms for behavior pricing, resulting in volatility and disorder.”
The “next-generation DeFi 3.0” New Gold Protocol was meant to outperform competitors that do not have intrinsic earnings and whose governance models are inefficient. The NGP team saw the way to achieve transparency, fairness, and sustainability through AI optimization.
The New Gold Protocol was striving to create an inclusive staking platform with a transparent, automated environment sustained via smart contracts. Due to token burns, NGP promoted its native token as deflationary. It promised real-yield distributions instead of inflationary and speculative incentives. The NGP whitepaper suggested that transparency ensures accountability. However, it turned out that this was not enough.
How was NGP hacked?
The hacking took place shortly after the launch of the NGP token. The amount of NGP tokens that could be bought was limited to prevent price-inflation attacks, but the hacker found a way to bypass it.
According to analysts from blockchain security company Hacken, six hours before the attack the hacker accumulated a high number of assets via flash loans using different accounts. Flash loans are a feature popular on DeFi platforms. They allow borrowing crypto assets quickly without collateral. Borrowed funds may be used for arbitrage trading, stealing funds from a protocol, or price manipulation. As Hacken notes, the damage caused through flash loan attacks may amount to millions of dollars.
The attacker used an oracle-manipulation tactic. The protocol determined the NGP token price by scanning its reserves in the DEX’s liquidity pool, which allowed the attacker to manipulate the price. The attacker began swapping BUSD to NGP on PancakePair, which pumped NGP’s price quickly.
The New Gold Protocol contained two limits: a buying limit and a cooldown limit for buyers. Both were bypassed as the attacker used the “dEaD” address as the recipient.
The next move was draining nearly all the BUSD tokens from the protocol via selling NGP. It left The New Gold Protocol with almost no funds. The attacker then gained $1.9 million worth of crypto and immediately swapped the funds to BNB-based ETH.
According to the Hacken team, the following actions included depositing stolen funds to Tornado Cash through Ethereum bridged with Across. The action sent the NGP price up while leaving the protocol with only a small amount of funds. Soon, the NGP token price plummeted 88%.
Unfortunately, despite ambitious plans to reshape the DeFi sector and build a sustainable product, The New Gold Protocol neglected its own security and faced severe damage. The company did not comment on the issue. The latest tweet reads “stability meets growth.” It was published several hours before the attack and now looks like a bitter joke.
Other flash loan attacks
As soon as flash loans were introduced, flash loan attacks quickly became one of the tactics used by criminals.
The biggest attack took place in March 2023. The hacker managed to steal around $197 million in Wrapped Bitcoin, Wrapped Ethereum, and other assets from the Euler Finance protocol. The hacker was using an error in the platform’s calculation rate. The funds were sent to an address used earlier by the notorious DPRK hackers, the Lazarus Group. What made this case especially notable is that the hacker voluntarily returned all the funds and apologized.
Other notable examples include the Cream Finance hack ($130 million stolen in 2021) and Polter ($12 million stolen in 2024). A flash loan was part of the scheme used in 2025 to wipe out $223 million in crypto from the Cetus protocol based on Sui.
