A critical bug in Circle’s Noble-CCTP was identified and fixed.
In the year On August 27, Asymmetric Research disclosed a critical bug in Circle's Noble-CCTP, part of the USDC cross-chain transfer protocol on the Cosmos network.
According to the Web3 security firm, a malicious actor can bypass the fake USDC tokens on Noble Bridge through the Chain Transfer Protocol's sender authentication process.
Specifically, the Noble-CCTP “Receiver Message” handler was receiving “BurnMessage” from any sender without verifying that the bridge message was sent from an authenticated “TokenMessenger” address on the main chain. The security firm described the vulnerability in more detail.
“An attacker could exploit this and send malicious USDC minnts in a CCTP message relay contract using the Noble-CCTP module address and Noble-Chain-ID as the CCTP destination.”
Asymmetric Research found that the problem initially appeared to be an infinite mint problem, but it turned out to be due to Noble exceeding the mint limit by nearly US$35 million.
A graphic explaining the different parts of CCTP. Source: Asymmetric Research
The Web3 security firm concluded that no users lost money and no malicious actors were able to successfully exploit the vulnerability to launch an attack. By the time this article was prepared, Circle had fixed a software bug.
Related: Circle Offers New Capital-Risk Framework for Stablecoins
Circle Noble's Chain Bridge isn't the only one.
In May 2024, a similar vulnerability was identified in a wormhole bridge on the Aptos network. CertiK—another blockchain security firm—discovered a vulnerability that could result in a $5 million exploit if the vulnerability wasn't identified and addressed.
The critical vulnerability of the wormhole is caused by a flaw in the “publish_event” function, allowing anyone to call the contract and issue a fake token.
However, wormholes weren't always lucky enough to proactively address vulnerabilities. In the year By 2022, Bridge Protocol lost $321 million in high-profile exploits.
Almost 80% of hacked cryptocurrencies never recover in value.
Asymmetric Research's discovery of a critical vulnerability bodes well for Circle's USDC, which could have consequences if a malicious actor takes advantage of the vulnerability.
A recent report from ImmuneFi shared with Cointelegraph shows that nearly 80% of hacked or exploited cryptocurrencies never recover in value.
Magazine: Strange ‘null address' iVest hack, millions of PCs still vulnerable to ‘Sinkclose' malware: Crypto-Sec
