- Attackers could have minted up to 35 million USDC on the Noble Bridge if Asymmetric Research had not found the flaws.
Asymmetric Research, a blockchain cybersecurity firm, helped Circle identify a bug that could have led to massive losses if not addressed. It existed in Circle’s Cross-Chain Transfer Protocol (CCTP) deployed on the Cosmos network, which allows the firm’s USDC stablecoin to be bridged. Specifically, Asymmetric found the vulnerability in the noble-cctp module of the CCTP.
“We privately disclosed a vulnerability to Circle via their bug bounty program,” the security firm said in its report. “Notably, no malicious exploitation took place, and no user funds were lost. Circle promptly took action, once notified, to fix the bug.”
The bug could have allowed bad actors to mint “infinite” USDC tokens on the Noble Bridge, an app chain allowing cross-chain transfers between Cosmos-associated blockchains. Delving deeper, unauthorized individuals could exploit the bridge’s message sender verification process, which ideally requires the “BurnMessages” function to come from ratified “TokenMessenger” addresses. The verification process was not doing that.
“An attacker could have been able to exploit this and trigger malicious USDC mints by sending a fake BurnMessage directly through a CCTP MessageTransmitter contract, using the noble-cctp module address and noble’s chainid as the CCTP destination. However, we did not identify any evidence of exploitation,” Asymmetric explained through its findings.
Infinite Money Glitch at First Assumption
While initial observations led Asymmetric to believe that attackers could mint as many USDC tokens as they wanted, a closer look found that Noble enforced a mint limit of about 35 million USDC—still concerning. Luckily, nobody with bad intentions found the bug. No tokens got minted out of thin air, and no Noble Bridge users lost their funds. Circle took immediate measures to patch the vulnerability, fixing the verification process to check minting messages come from valid addresses.
The story could have been entirely different had Asymmetric not found the glitch, possibly adding Circle and its users on the Noble Bridge to a worrisome growing list of victims of cyberattacks this year.
