On Aug. 27, Asymmetric Research revealed it identified a critical bug in Circle’s Noble-CCTP, a component of the USDC (USDC) Cross-Chain Transfer Protocol, on the Cosmos network.
According to the Web3 security firm, a malicious actor could have potentially sidestepped the cross-chain transfer protocol’s message sender verification process to mint fake USDC tokens on the Noble bridge.
More specifically, the Noble-CCTP “ReceiveMessage” handler was accepting “BurnMessages” from any sender without first checking that the bridging message was sent from a verified “TokenMessenger” address on the original chain. The security firm outlined the vulnerability in greater detail:
"An attacker could have been able to exploit this and trigger malicious USDC mints by sending a fake BurnMessage directly through a CCTP MessageTransmitter contract, using the Noble-CCTP module address and Noble’s chain—ID as the CCTP destination."
Asymmetric Research explained that the problem initially appeared to be an infinite mint glitch, but could not have been due to Noble’s enforcement of a mint limit of approximately 35 million USDC.
A graphic explaining the different components of CCTP. Source: Asymmetric Research
The Web3 security firm concluded by noting that no users lost funds and no malicious actors were able to successfully leverage the vulnerability and launch an attack. At the time of this writing, Circle has remedied the software bug.
Circle’s Noble cross-chain bridge isn’t the only one
In May 2024, a similar vulnerability was identified in the Wormhole bridge on the Aptos network. CertiK—another blockchain security firm—discovered the weakness that would have resulted in a $5 million exploit had the vulnerability not been identified and addressed.
The Wormhole critical vulnerability was caused by a problem with the “publish_event” function, allowing anyone to call the contract and mint fake tokens.
However, Wormhole has not always been so lucky when it comes to proactively addressing vulnerabilities. In 2022, the bridging protocol lost $321 million in a high-profile exploit allowing a user to mint fake tokens.
Nearly 80% of hacked cryptocurrencies don’t recover in price
Asymmetric Research’s discovery of the critical vulnerability bodes well for Circle’s USDC, which may have suffered consequences resulting from a malicious actor taking advantage of the vulnerability.
A recent report from ImmuneFi shared with Cointelegraph revealed that nearly 80% of hacked or exploited cryptocurrencies never recover in terms of price.
Magazine: Weird ‘null address’ iVest hack, millions of PCs still vulnerable to ‘Sinkclose’ malware: Crypto-Sec