Circle fixes Noble-CCTP critical vulnerability without loss in capital
Blockchain security firm Asymmetric Research discovered a critical vulnerability in Circle's Noble-CCTP and has privately notified Circle. The vulnerability has been promptly fixed and no user loss in capital or malicious attacks have occurred.
The vulnerability exists on the Noble-CCTP component of the USDC cross-chain transfer protocol. The security firm discovered that malicious actors could potentially counterfeit USDC tokens on the Noble Bridge by bypassing the message sender verification process. This vulnerability allows any sender to send "BurnMessages" to an unverified address, thereby forging USDC.
Although the vulnerability initially appears to be an infinite casting flaw, the actual impact is limited due to Noble's casting limitations. As of now, Circle has fixed the issue and secured the system.
Earlier this year, a similar vulnerability was discovered in the Wormhole bridge on the Aptos network, demonstrating the need for higher security standards for cross-chain bridging protocols. The rapid response from Circle and Asymmetric Research shows that protecting against potential vulnerabilities and attacks is critical to protecting user assets.