According to Cointelegraph, on Aug. 27, Asymmetric Research identified a critical bug in Circle’s Noble-CCTP, a component of the USDC Cross-Chain Transfer Protocol on the Cosmos network.
The Web3 security firm reported that a malicious actor could have potentially bypassed the protocol’s message sender verification process to mint fake USDC tokens on the Noble bridge. Specifically, the Noble-CCTP “ReceiveMessage” handler was accepting “BurnMessages” from any sender without verifying that the message was sent from a verified “TokenMessenger” address on the original chain. This vulnerability could have allowed an attacker to exploit the system and trigger malicious USDC mints by sending a fake BurnMessage directly through a CCTP MessageTransmitter contract, using the Noble-CCTP module address and Noble’s chain-ID as the CCTP destination.
Asymmetric Research clarified that the issue initially appeared to be an infinite mint glitch but was limited by Noble’s enforcement of a mint limit of approximately 35 million USDC. The firm concluded that no users lost funds and no malicious actors were able to exploit the vulnerability. Circle has since remedied the software bug.
This is not the first instance of such vulnerabilities in cross-chain bridges. In May 2024, a similar issue was found in the Wormhole bridge on the Aptos network by CertiK, another blockchain security firm. The vulnerability could have resulted in a $5 million exploit if not addressed. The Wormhole bridge has previously suffered a significant exploit in 2022, losing $321 million due to a similar issue.
Asymmetric Research’s discovery of the critical vulnerability is a positive development for Circle’s USDC, potentially preventing severe consequences from a malicious actor exploiting the bug. A recent report from ImmuneFi revealed that nearly 80% of hacked or exploited cryptocurrencies never recover in terms of price.