New Gold Protocol (NGP): Flash loan + spot price oracle manipulation + broken transfer logic (dead address bypass of buy limits)
New Gold Protocol launched on BSC with no audit and two elementary vulnerabilities — a spot price oracle and broken transfer logic — that let an attacker drain $2M within days of launch while the team went radio silent.
Summary #
New Gold Protocol (NGP) suffered a Token / Stablecoin (unspecified DeFi + RWA narrative) on 2025-09-17, resulting in a loss of approximately $2M.
What happened #
New Gold Protocol launched on BSC with no audit and two elementary vulnerabilities — a spot price oracle and broken transfer logic — that let an attacker drain $2M within days of launch while the team went radio silent.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — two independent elementary vulnerabilities]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — PancakeSwap pool reserves manipulated to produce false price]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — radio silent after hack; no verifiable team]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed]