According to Cointelegraph, on August 27, Asymmetric Research discovered that Circle's USDC cross-chain transfer protocol Noble-CCTP had a serious vulnerability. Malicious actors could bypass the message sender verification process and forge USDC tokens on the Noble bridge.
Specifically, Noble-CCTP's "ReceiveMessage" handler accepts "BurnMessages" from any sender without checking whether the message comes from a verified address on the original chain. An attacker can exploit this vulnerability to send a forged BurnMessage through the CCTP MessageTransmitter contract.
Asymmetric Research explained that although it initially looked like an unlimited minting vulnerability, this was not the case due to Nobleâs minting limit of approximately 35 million USDC. Fortunately, no user funds were compromised and Circle has since fixed the vulnerability.
A similar vulnerability was discovered on the Wormhole bridge of the Aptos network in May 2024, which could have resulted in a loss of $5 million if not fixed in time. In 2022, the Wormhole bridge was exploited due to a vulnerability, resulting in a loss of $321 million.
ImmuneFiâs report shows that nearly 80% of hacked cryptocurrencies have failed to recover in price.
