A critical bug has been identified and fixed in Circle’s Noble-CCTP.
On August 27, Asymmetric Research revealed that it had discovered a critical bug in Circle’s Noble-CCTP, a component of the USDC (USDC) cross-chain transfer protocol on the Cosmos network.
According to Web3 Security, a malicious actor could potentially bypass the message sender verification process of the cross-chain transfer protocol to mint fake USDC tokens on Noble Bridge.
More specifically, the Noble-CCTP “ReceiveMessage” handler accepted “BurnMessages” from any sender without first checking that the bridging message was sent from a verified “TokenMessenger” address on the original chain. The security firm detailed the vulnerability further.
“An attacker could exploit this to send a fake BurnMessage directly through the CCTP MessageTransmitter contract, using the Noble-CCTP module address and Noble’s chain ID as the CCTP destination, thereby causing a malicious USDC mint.”
Asymmetric Research explained that the issue initially appeared as an infinite minting error, but this could not be due to Noble implementing a minting limit of around 35 million USDC.
A graphic illustrating the various components of CCTP. Source: Asymmetric research
Web3 Security concluded that no users lost funds and that no malicious actors were able to successfully exploit the vulnerability to launch attacks. As of this writing, Circle has fixed the software bug.
relevant: Circle Proposes New Capital-Risk Framework for Stablecoins
Circle’s Noble cross-chain bridge isn’t the only one.
In May 2024, a similar vulnerability was identified in the Aptos network’s wormhole bridge. Another blockchain security firm, CertiK, found that the vulnerability could have resulted in a $5 million exploit if it had not been identified and fixed.
The critical vulnerability in Wormhole was caused by a problem in the “publish_event” function, which allowed anyone to call the contract and mint fake tokens.
However, Wormhole has not always been so lucky in addressing vulnerabilities in advance. In 2022, a bridging protocol lost $321 million to a famous exploit that allowed users to mint fake tokens.
Nearly 80% of Hacked Cryptocurrencies Never Recover in Price
The discovery of a critical vulnerability by Asymmetric Research bodes well for Circle’s USDC, as malicious actors could potentially exploit this vulnerability and cause damage.
A recent report from ImmuneFi shared with Cointelegraph found that around 80% of cryptocurrencies that are hacked or exploited never recover in price.
magazine: Strange ‘null address’ iVest hack, millions of PCs still vulnerable to ‘synchro’ malware: Crypto-Sec
