TLDR
- NGP token lost $2M due to a price oracle manipulation attack using flash loans.
- Flash loan attack manipulated the Uniswap V2 pool to exploit NGP token pricing.
- Stolen funds from the NGP exploit moved through Tornado Cash after being drained.
- NGP token’s value dropped 88% following the $2M exploit targeting the liquidity pool.
A significant exploit took place within the New Gold Protocol (NGP) on the Binance Smart Chain (BSC). The attack, first detected by Blockaid, saw the malicious draining of approximately $2 million from the NGP token liquidity pool. The funds were stolen through a price oracle manipulation attack, which took advantage of vulnerabilities in the smart contract and the token’s price feed.
According to Blockaid, the attack began with the manipulation of the NGP smart contract’s getPrice() function. This function relies on the current reserves of a Uniswap V2 pair to determine the price of the token. However, the attackers exploited this by executing a flash loan, which allowed them to manipulate the reserves within a single transaction. The end result was a massive increase in the USDT reserves, coupled with a significant decrease in the NGP token reserves, causing the price feed to show an artificially low value.
Mechanics Behind the New Gold Protocol (NGP) Attack
The exploit was carried out using a series of precise steps. The attacker began by taking out a large flash loan, which provided a substantial amount of tokens. They then used this loan to manipulate the liquidity pool of NGP on the Uniswap V2 pair. By swapping the tokens, the attacker inflated the USDT reserve and depleted the NGP token reserve.
This manipulation lowered the calculated price of the NGP token, allowing the attacker to bypass the protocol’s transaction limit.
Blockaid explained that the price manipulation created an opportunity to buy large quantities of NGP tokens at an artificially low price. After securing the tokens, the attacker reversed the swap, repaid the flash loan, and kept the difference as profit.
Funds Moved Through Tornado Cash
Following the exploit, the stolen funds were moved through Tornado Cash, a crypto mixer often used to anonymize transactions. PeckShield, another security firm, confirmed that the stolen funds had been deposited into Tornado Cash. This is a common method for laundering illicit funds in the crypto space. The use of Tornado Cash adds an additional layer of complexity to tracking the stolen funds, making it more challenging for authorities to trace the money.
Following the attack, the price of the NGP token saw a sharp decline. According to PeckShield, the token’s value dropped by 88% as a result of the exploit. This dramatic price drop has significantly impacted the token’s market performance and raised questions about the security measures in place for DeFi protocols on the Binance Smart Chain.
Vulnerability Due to Price Oracle Manipulation
The core vulnerability that led to the NGP token exploit lies in the reliance on a single DEX pool for price calculation. Blockaid emphasized that using a spot price from a single decentralized exchange (DEX) pool can be insecure. Attackers can easily manipulate these pools with flash loans, as seen in this case.
The manipulation of the price oracle was particularly dangerous, as it directly impacted the protocol’s transaction checks, enabling the attacker to bypass the maximum buy limit.
In response to the exploit, the Blockaid team is actively monitoring the situation and has issued warnings to other DeFi protocols about similar vulnerabilities. As decentralized finance protocols continue to grow in popularity, such security risks are becoming increasingly common. This exploit underscores the need for enhanced smart contract audits and more secure price feeds to safeguard against such attacks in the future.
