Key Notes The attacker stole ~$2 million worth of ETH from the New Gold Protocol on Sept.18. The exploit involved a flash loan that successfully manipulated the price oracle enabling the attacker to bypass security checks in the smart contract. The NGP token is down 88% as the attacker obfuscates their funds through Tornado Cash. New Gold Protocol, a DeFi staking project, lost around 443.8 Ethereum ETH $4 599 24h volatility: 2.2% Market cap: $555.19 B Vol. 24h: $42.83 B , valued at $2 million, in an exploit on Sept 18. The attack caused the project's native NGP token to crash by 88%, wiping out most of its market value in less than an hour. The incident was flagged by multiple blockchain security firms, including PeckShield and Blockaid. Both firms confirmed the amount stolen and tracked the movement of the funds. Blockaid's analysis identified the specific vulnerability that the attacker used. 🚨 Community Alert: Blockaid's exploit detection system identified multiple malicious transactions targeting the NGP token on BSC. Roughly $2M has been drained. ↓ We're monitoring in real time and will share updates below pic.twitter.com/efxXma0REQ — Blockaid (@blockaid_) September 17, 2025 Flash Loan Attack Manipulated Price Oracle According to the Blockaid report, the hack was a price oracle manipulation attack. The protocol's smart contract had a critical flaw; it determined the NGP token's price by looking at the asset reserves in a single Uniswap liquidity pool. This method is insecure because a single pool's price can be easily manipulated. The attacker used a flash loan to borrow a large amount of assets. A flash loan consists of a series of transactions that borrow and return a loan within the same transaction.