A new DeFi staking protocol, “built with sustainability,” was exploited just a few hours after its launch. The protocol on the BNB chain had two flaws, which the hacker exploited to steal almost $2 million.
The New Gold Protocol (NGP), which was built on Binance Exchange’s blockchain, BNB, came under attack just a few hours after launch. The protocol was built to solve volatility and sudden price swings, as protocols in general “lack standardized mechanisms for behavior pricing, resulting in volatility and disorder,” according to the whitepaper.
The NGP protocol was built to outperform its competitors with inefficient governance models, with the use of AI optimization. “The New Gold Protocol is conceived as a next-generation DeFi 3.0 protocol, designed to build a fair, transparent, and sustainable financial system.”
How the exploit happened
Web3 security firm Blockaid stated that the hacker exploited the price oracle and manipulated the prices. In particular, the attacker focused on targeting the NGP smart contract’s getPrice() function, which calculates the token price by directly referencing the current reserves of the Uniswap V2 pair, as “A spot price from a single DEX pool is insecure because an attacker can easily and dramatically manipulate the pool’s reserves within a single atomic transaction using a flash loan,” Blockaid said.
Before the attack, the hacker bought many tokens through flash loan– a type of DeFi loan where a borrower can get a loan without collateral, using a different account. Once obtained, the cryptocurrencies could be used for arbitrage and trading.
The bad actor started swapping the borrowed BUSD to NGP on PancakePair, which resulted in NGP demand surging and the price of NGP being pumped. Once the NGP token’s value was high, the hacker sold the NGP token, which eventually drained the BUSD in the protocol.
Hacker exploits two flaws
Despite the protocol having a ‘buying limit’ and a ‘cool down limit’, both of which are placed to keep the price volatility to a minimum, the hacker found a way around. Both these limits were bypassed as the hacker used the “dEaD” as the recipient, which is generally used by projects for token burning. With this in the address, the attacker cheated the system into thinking it was a token burn rather than a price manipulation attempt.
