Bitcoin

Circle Addresses Bug That Could Have Led to Millions in Losses if Exploited

1 Mins read
  • Attackers could have minted up to 35 million USDC on the Noble Bridge if Asymmetric Research had not found the flaws.

Asymmetric Research, a blockchain cybersecurity firm, helped Circle identify a bug that could have led to massive losses if not addressed. It existed in Circle’s Cross-Chain Transfer Protocol (CCTP) deployed on the Cosmos network, which allows the firm’s USDC stablecoin to be bridged. Specifically, Asymmetric found the vulnerability in the noble-cctp module of the CCTP.

“We privately disclosed a vulnerability to Circle via their bug bounty program,” the security firm said in its report. “Notably, no malicious exploitation took place, and no user funds were lost. Circle promptly took action, once notified, to fix the bug.”

The bug could have allowed bad actors to mint “infinite” USDC tokens on the Noble Bridge, an app chain allowing cross-chain transfers between Cosmos-associated blockchains. Delving deeper, unauthorized individuals could exploit the bridge’s message sender verification process, which ideally requires the “BurnMessages” function to come from ratified “TokenMessenger” addresses. The verification process was not doing that.

“An attacker could have been able to exploit this and trigger malicious USDC mints by sending a fake BurnMessage directly through a CCTP MessageTransmitter contract, using the noble-cctp module address and noble’s chainid as the CCTP destination. However, we did not identify any evidence of exploitation,” Asymmetric explained through its findings.

Infinite Money Glitch at First Assumption

While initial observations led Asymmetric to believe that attackers could mint as many USDC tokens as they wanted, a closer look found that Noble enforced a mint limit of about 35 million USDC—still concerning. Luckily, nobody with bad intentions found the bug. No tokens got minted out of thin air, and no Noble Bridge users lost their funds. Circle took immediate measures to patch the vulnerability, fixing the verification process to check minting messages come from valid addresses.

The story could have been entirely different had Asymmetric not found the glitch, possibly adding Circle and its users on the Noble Bridge to a worrisome growing list of victims of cyberattacks this year.


Source link

Related posts
Bitcoin

Large Transaction Volume Crashes 36% In 24 Hours As Dogecoin Price Fails At $0.2, Are Whales Selling?

2 Mins read
Este artículo también está disponible en español. The recent Dogecoin price rally appears to be losing steam following an impressive surge that…
Bitcoin

Bitcoin’s Time Has Come With The US Election Results

1 Mins read
It finally happened. Trump won the 2024 election and became the 47th President of the United States of America. Simply put, this…
Bitcoin

Swiss National Bank Chair Flags Crypto Risks, Calls Bitcoin and Ether a ‘Niche Phenomenon’

1 Mins read
Swiss National Bank (SNB) Chairman Martin Schlegel has cautioned about cryptocurrencies like bitcoin and ether, describing them as volatile and energy-intensive, and…

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *