Around the Block #3: Analysis of the bZx Attack, DeFi Vulnerabilities, and the State of Crypto Debit Cards

Analysis of the bZx Attack and DeFi Vulnerabilities

DeFi (Decentralized Finance) is transforming how financial tools are delivered online, making them accessible, programmable, and practical for everyone. Just as the internet enabled anyone to create, share, and program information, DeFi brings that same openness to money and finance.

DeFi products are fundamentally trustless—users don’t need to rely on intermediaries. They are global, transparent (anyone can review the code), and immutable (changes are only possible if programmed). DeFi’s composability means products can be stacked and integrated, similar to how Lego blocks combine to build something greater than the sum of their parts.

Setting the Context

This is a new environment where anyone can program financial applications. The result is a powerful, liquid network of financial tools—a fertile landscape for innovation and utility. DeFi, for example, introduced the Flash Loan—a risk-free, instant loan where anyone can borrow millions of dollars within a single transaction. If the loan isn’t repaid by the end of the transaction, the entire transaction is reverted. No capital is ever at risk, and users can deploy large amounts for any purpose.

What Happened in the bZx Attacks?

BZx (also known as Fulcrum) is a DeFi platform for tokenized lending, borrowing, and margin trading. Anyone can add capital to the bZx pool and borrow against it, or take leveraged long or short positions on other assets. The platform integrates with other DeFi protocols to offer complete services, leveraging DeFi’s composability.

The attack centered on a single, sophisticated transaction that borrowed millions of dollars using a flash loan and routed these funds through several DeFi protocols to manipulate and exploit bZx’s collateral pool. Here’s how it unfolded:

1. The attacker borrowed $10 million in ETH through a flash loan from a decentralized lending protocol (Component #1), with no collateral posted.

2. They used $5 million in ETH to open a 5x short position on the ETH-wBTC order book on bZx (Component #2). BZx forwarded the order to a liquidity aggregator (Component #3), which sourced the best rate and completed the trade on a decentralized exchange (Component #4). This caused significant slippage, driving the wBTC price up threefold.

3. The attacker sent the remaining $5 million in ETH to another lending protocol (Component #5) and borrowed wBTC against the ETH collateral.

4. They sold the borrowed wBTC at the inflated price on the decentralized exchange.

5. Using profits from step 4 and proceeds from step 2, the attacker repaid the flash loan in full, successfully completing the transaction.

This strategy generated a direct gain of 71 ETH, plus an active loan on another protocol worth 1,200 ETH, totaling a net profit of 1,271 ETH (valued at $355,000 at the time). The transaction also left bZx with a deeply underwater loan, which accounts for the “loss.”

The attack hinged on the ability to take a large, 5x leveraged short position on a thinly traded order book that was highly susceptible to slippage. BZx was supposed to have safeguards, but the attacker exploited a bug to bypass these checks. This flaw exposed the bZx collateral pool to severe losses, while all other components worked as intended and incurred no losses.

Consequences and the Second Attack

Immediately after the attack, the bZx team used super-admin keys to pause trading and lending, correcting the root bug. As the community debated the exploit and operations resumed, a second attack occurred using a similar technique.

This second attack mirrored the first but didn’t require bypassing slippage rules. Instead, a flash loan was used to inflate the price of Synthetix USD on a decentralized exchange to $2 (from $1). The attacker then deposited sUSD into bZx as collateral at the inflated price, borrowing more ETH than allowed. The attacker fled with the borrowed funds, leaving the bZx loan underwater, and netted 2,378 ETH (after repaying the flash loan), valued at $630,000 at the time.

This was more like an oracle attack, where a trusted value is manipulated. In this case, the flash loan artificially raised the ETH-sUSD spot price on the decentralized exchange (the oracle), which bZx used to assess collateral value for loans.

How Should We Think About Security in DeFi?

DeFi enables powerful new financial products, woven together in complex ways. These attacks serve as a stark reminder: programmable finance can and will have bugs, especially as innovation pushes the limits. Today, flash loans combined with a web of composable DeFi protocols have created a new category of vulnerabilities.

Historically, discovery of a new exploit class triggers a wave of copycat attacks. The entire ecosystem takes note, and countless eyes search for similar flaws. We should expect more oracle-style, flash loan attacks. This is how DeFi grows more resilient over time.

For example, after the DAO hack exposed reentrancy vulnerabilities, the community quickly learned to prevent them. Now, reentrancy attacks are virtually gone. Ultimately, this is evolutionary fitness: vulnerabilities are found, patched, and the space strengthens with each cycle.

DeFi won’t ever be perfectly secure, but we can build a more robust ecosystem through Defense in Depth—multiple layers of redundancy for greater security. Consumer protection and/or insurance must also keep pace. Notably, a DeFi insurance product DeFi made its first payout after the bZx attacks—an encouraging milestone.

What About Decentralization in DeFi?

The bZx team used super-admin keys to halt lending and trading, highlighting a single point of control. While this was necessary to stop further draining of the collateral pool, it introduces new risk—what if the keys are misused or compromised? Removing unilateral control is central to crypto's ethos. How should we approach this?

Decentralization exists on a spectrum, and teams should follow a progressive roadmap. For new DeFi services, full decentralization from day one is unrealistic—it creates existential risk if exploits are found and immediate action isn’t possible. Instead, protocols should gradually decentralize, but only after demonstrating a solid security track record.

Key Takeaways

DeFi is pushing boundaries and paving the way for products that define programmable finance. The pace is exciting, but exploits show just how disruptive innovation can be. We must remain holistic—more attacks will happen, but this is part of DeFi’s evolutionary journey. Ultimately, we’re likely to see a stronger ecosystem with robust consumer protections emerge.

The State of Crypto Debit Cards

“Spending” has always been a crucial driver of crypto utility, ever since Satoshi introduced the Bitcoin whitepaper. Crypto investors have long sought ways to spend their assets—even just buying coffee at a local café. Crypto debit cards fill this gap; functionally similar to traditional cards, they draw from a crypto balance instead of a bank account.

History

Debit card offerings began with several attempts, including an initial card on a major platform, launched in an earlier era. This first-of-its-kind card let customers spend Bitcoin anywhere Visa was accepted. The catch: it wasn’t white-label, but issued via a payment processor.

BitPay, Bitwala, Wirex, and Coinsbank entered next. During the height of the ICO boom, companies like TenX, Token Card (now Monolith), and Monaco (now crypto.com) joined the race. TenX raised $80 million in just 7 minutes via ICO; Token Card and Monaco raised $12.7 million and $27 million, respectively, reflecting excitement around crypto debit cards. These companies mainly competed on lower fees, improved UX, and rewards.

The challenge? At the time, few payment processors were willing to issue crypto debit cards—one handled a specific card, one handled most others. Adoption was also a hurdle. One card saw limited traction as users preferred to hold Bitcoin (given its volatility and perceived investment value) rather than spend it. Today, with a more mature ecosystem and the rise of stablecoins, a more holistic debit card solution is poised for broader adoption.

In recent years, one processor pivoted and rebranded, working to launch a new UK-focused card. For most others, a previous era saw Visa drop a processor for “non-compliance with [their] operating rules,” shutting down those cards.

Looking ahead, crypto debit cards are likely to gain momentum again, especially with yield-bearing stablecoins like USDC on certain platforms. A major platform recently achieved Principal Member status with Visa, a historic step enabling direct EU card issuance without a sponsor bank.

Featured News: Commentary on Notable Developments

Ethereum’s Controversial Upgrade Ignites Community Debate

Ethereum recently faced heated governance debates over a proposed mining update: ProgPow (Progressive Proof of Work). The goal is to enable consumer-grade hardware to mine Ethereum by reducing the advantage of ASIC miners (specialized, high-power devices dominating mining today).

Implementing ProgPow would make mining more accessible, potentially increasing decentralization and returning to Ethereum’s original ASIC-resistant vision.

The controversy? ProgPow would reduce the network’s overall compute power (since GPUs are less powerful than ASICs), making Ethereum more susceptible to 51% attacks. No mining algorithm is fully ASIC-resistant; eventually, specialized ASICs would target ProgPow, too. Many argue ASICs are necessary for securing PoW networks—no ASIC-based chain has suffered a 51% attack.

Any contentious fork must be handled thoughtfully. The stakes are much higher now, especially with DeFi assets like USDC and USDT on Ethereum, which could undermine the network’s ability to execute divisive forks.

Despite its long history, ProgPow was recently accepted and scheduled for inclusion. However, community backlash led to the proposal being shelved again.

Tron Accused of a “Hostile Takeover” of the Steem Blockchain

Steemit—the social news platform similar to Reddit—announced a partnership to migrate its platform to the Tron blockchain. The Steem community grew concerned that the Tron Foundation gained too much governance power and immediately implemented a soft fork disabling Tron’s voting rights.

Tron responded by working with major exchanges, including a leading one, to coordinate a hard fork that restored its governance rights and froze the tokens of Steem community members participating in governance. The Steem community viewed this as a hostile takeover attempt.

Steem is a Delegated Proof of Stake protocol, so major exchange deposits were crucial for Tron to secure the necessary votes. The head of a major exchange admitted to approving Tron’s hard fork but claimed ignorance of the controversy, later reprimanding Tron for bad faith actions.

This highlights the complexity of blockchain governance. In dPOS chains, majority rules—Tron simply played by the system’s rules. But the ultimate value lies with users, who hold the economic power. Steem’s community is fighting back by disabling apps, resigning from the foundation, and supporting favored validators.

The role of exchanges and custodians in blockchain governance is growing. With most assets under their control, they wield significant political power. As the industry matures, expect centralized platforms to roll out governance tools.

Featured News Takeaways

Blockchains are transformative technologies—but at their core, they’re massive computer science experiments involving everyone. No one owns these networks; they’re held by the collective community. These moments are crucial tests for blockchain governance. Both Ethereum and Steem are setting important precedents. Everyone should pay close attention.

FAQ

What is the bZx flash loan attack? How did attackers exploit DeFi vulnerabilities for profit?

The bZx attack leveraged flash loans to manipulate Uniswap prices, enabling leveraged shorts and arbitrage. Attackers netted roughly $360,000 by targeting price oracle vulnerabilities and insufficient protection mechanisms in DeFi protocols.

What are common security vulnerabilities and risks in DeFi protocols, and how can they be prevented?

DeFi protocols face risks like reentrancy attacks and private key leakage. Preventative steps include best practices for smart contracts, automated incident response, and comprehensive audits in mainnet-like environments.

What is a flash loan (Flash Loan), and why are they easy to use for attacks?

A flash loan in DeFi is an unsecured loan that must be repaid within the same transaction. It’s vulnerable to attacks because it allows access to large sums with no collateral, enabling attackers to manipulate asset prices and exploit multiple protocols simultaneously.

Who are the main providers and products for crypto debit cards?

Top providers include BitPay and Revolut. Their cards let users pay and withdraw using crypto, providing secure, convenient solutions for digital asset spending.

What are the advantages and risks of crypto debit cards?

Benefits include everyday crypto spending and immediate fund access. Risks involve price volatility, security flaws, and reliance on centralized vendors.

What are the security risks in liquidity mining and lending protocols within DeFi?

Risks include code bugs, flawed rules, and systemic financial threats. Projects should implement thorough audits, strong risk controls, and ongoing monitoring to prevent market manipulation and liquidity crises.

How did DeFi projects strengthen security after the bZx incident?

DeFi protocols added time-locked upgrades, enhanced audit and review processes, and improved governance decentralization to mitigate future risks.

What are the main limitations and fees when using a crypto debit card?

Crypto debit cards typically offer low transaction fees but impose daily spending and withdrawal limits. Fees and restrictions vary by card. Always check supported cryptocurrencies before use.