According to ChainCatcher, blockchain security company Asymmetric Research disclosed that it had discovered a critical vulnerability in Circle's Noble-CCTP (a component of the USDC USDC cross-chain transfer protocol) on the Cosmos network and had privately notified Circle. The vulnerability has been fixed in a timely manner, and no user funds have been lost or malicious attacks have occurred.
The security firm found that malicious actors could circumvent the cross-chain transfer protocol's message sender verification process and forge USDC on the Noble bridge. More specifically, the Noble-CCTP "ReceiveMessage" handler accepts "BurnMessages" from any sender without first checking that the bridge message is sent from a verified "TokenMessenger" address on the initial chain.
However, while the vulnerability initially looked like an infinite minting flaw, the actual impact was limited due to Noble’s minting limit of approximately 35 million USDC.