- Attackers could have minted up to 35 million USDC on the Noble Bridge if Asymmetric Research had not found the flaws.
As a researcher who has spent years diving into the depths of blockchain technology and cybersecurity, I can confidently say that discovering a vulnerability like the one found by Asymmetric Research is both exhilarating and terrifying. On the one hand, it’s thrilling to uncover potential threats and help protect systems from malicious actors. On the other hand, the thought of what could have happened had this bug gone unnoticed is chilling.
In simpler terms, the cybersecurity company Asymmetric discovered a potential issue within Circle’s system that could have resulted in significant financial losses if left unchecked. This problem was found in Circle’s Cross-Chain Transfer Protocol (CCTP), which is utilized on the Cosmos network for bridging their USDC stablecoin. More specifically, Asymmetric pinpointed a vulnerability within the noble-cctp module of the CCTP.
In their findings, the security company revealed that they had confidentially shared a potential weakness with Circle through their bug bounty program. Importantly, there was no incident of harmful exploitation, and no customer funds were compromised. As soon as they were made aware, Circle swiftly addressed the issue to rectify the bug.
There was a potential vulnerability in the Noble Bridge, an application for cross-chain transfers between blockchains linked to Cosmos, that might have enabled unscrupulous users to generate an unlimited amount of USDC tokens. Upon closer examination, it appears that unauthorized parties could manipulate the bridge’s message sender verification system, which should only verify messages from approved “TokenMessenger” addresses after using the “BurnMessages” function. However, this verification process was found not to be following this procedure.
“Asymmetric stated in their findings that an attacker might have been capable of manipulating USDC mints maliciously by sending a fabricated BurnMessage directly via a CCTP MessageTransmitter contract, employing the noble-cctp module address and noble’s chainid as the CCTP destination. Yet, we couldn’t find any proof that this vulnerability was actually exploited.”
Infinite Money Glitch at First Assumption
Initially, it appeared that attackers could unlimitedly create USDC tokens according to Asymmetric’s initial assessments. However, upon further examination, Noble had set a cap of approximately 35 million USDC for token minting – an issue that remained concerning. Fortunately, no malicious actors discovered this bug, preventing any unwarranted creation of tokens or loss of funds for Noble Bridge users. In response, Circle swiftly addressed the vulnerability by reinforcing the verification process to ensure only legitimate addresses could initiate minting procedures.
If Asymmetric hadn’t discovered the glitch, it’s likely that Circle and its users would have been part of an increasingly concerning group of victims from this year’s cyberattacks, dramatically changing the course of the story.
Read More
- CKB PREDICTION. CKB cryptocurrency
- EUR INR PREDICTION
- PBX PREDICTION. PBX cryptocurrency
- IMX PREDICTION. IMX cryptocurrency
- PENDLE PREDICTION. PENDLE cryptocurrency
- USD VND PREDICTION
- TANK PREDICTION. TANK cryptocurrency
- USD DKK PREDICTION
- ICP PREDICTION. ICP cryptocurrency
- GEAR PREDICTION. GEAR cryptocurrency
2024-08-29 15:05