New Gold Protocol: The Flawed Fee Architecture Exploit (September 2025)

On September 17, 2025, NewGold Protocol (NGP), a DeFi project deployed on the BNB Smart Chain, suffered a catastrophic exploit resulting in the loss of approximately $2 million in user funds. The incident occurred shortly after launch, despite the protocol's branding around "DeFi 3.0" sustainability and its assertion that security was "non-negotiable."

Technical Overview

The NewGold Protocol functioned as an automated market maker (AMM) with a proprietary token (NGP) and a novel fee distribution mechanism. The protocol's core vulnerability stemmed from a dual failure: Oracle Manipulation and Defective Fee Accounting Logic.

Exploit Mechanism: The "Dead Wallet" Bypass & Fee Drain

The attacker orchestrated a sophisticated multi-step attack that exploited both administrative controls and internal accounting.

1. Funded Preparation: The attacker acquired initial NGP tokens across multiple EOAs (Externally Owned Accounts), sourcing funds through Tornado Cash to obfuscate tracing.
2. Collateral Leverage: The attacker took a massive BTCB flash loan via Moolah (a lending market) and used it as collateral to borrow vUSDT on Venus Protocol.
3. The "Dead Wallet" Bypass:
   • The protocol implemented a maxBuyAmountUsdt restriction to prevent large purchases that could manipulate price.
   • However, the protocol maintained a whitelist mechanism for specific addresses, including a "dead wallet" (burn address).
   • The attacker executed swaps from BSC-USD to NGP on PancakeSwap but set the recipient address as the dead wallet.
   • Because the dead wallet was whitelisted, the transaction bypassed the maxBuyAmountUsdt restriction entirely.
4. The Flawed Fee Logic Drain:
   • When tokens are sold in NGP, a 35% transaction fee is applied.
   • The Vulnerability: Instead of deducting tokens from the seller's balance and transferring the remainder to the protocol, the contract directly reduced tokens from the liquidity pool's reserves after the swap.
   • Critically, the contract called sync() to update pool reserves after the fee deduction.
   • By combining the manipulated price (from the flash loan) with this "fee-on-reserves" logic, the attacker could drain the entire BSC-USD liquidity with a relatively small initial capital outlay.
5. Liquidation & Exit: After depleting the pool, the attacker repaid all borrowed assets (flash loans and Venus debt) and exited with approximately $2 million in profit.

Why This Matters (The Fee-on-Reserves Anti-Pattern)

The NewGold hack illustrates a dangerous architectural anti-pattern that was thought to be obsolete:

• Accounting Integrity: The fee mechanism violated the fundamental accounting principle that fees should be paid by the transacting party, not the liquidity providers.
• Oracle Dependency: Relying exclusively on a single PancakeSwap pool for price feeds without any TWAP or external oracle aggregation made the protocol trivially manipulable via flash loans.

Mitigation Strategies

• Fee Accounting Integrity: Always calculate fees against the transfer amount from the user, not the destination balance or pool reserves. Use established patterns like amountOut = amountIn * (1 - fee) before executing the transfer.
• Multi-Source Oracles: Integrate at least two independent price feeds (for example, Chainlink + Pyth) and revert transactions if they deviate significantly from the internal pool price.
• Whitelist Auditing: Any bypass of global constraints (like maxBuyAmountUsdt) must be strictly governed by a timelocked, multi-sig governance mechanism, not hardcoded addresses.

Conclusion

The $2M NewGold Protocol exploit is a reminder that novel fee mechanisms require the same rigorous auditing as novel financial products. The combination of a "dead wallet" bypass and a fee-on-reserves architecture created a deterministic drain that required minimal capital to execute. In 2026, protocols must rigorously test their accounting logic against flash loan scenarios before deployment.