Bridged USDC Standard is a specification and process for deploying a bridged form of USDC on EVM blockchains with optionality for Circle to seamlessly upgrade to native issuance in the future.1
The result is a secure and standardized way for any EVM blockchain and rollup team to transfer ownership of a bridged USDC token contract to Circle to facilitate an upgrade to native USDC, if and when both parties deem appropriate.2
This document provides a high-level overview of the process. Note that this also applies to implementations of bridged EURC (Circle’s euro-backed stablecoin), as they follow the same implementation.
- Third-party team follows the standard to deploy their bridge contracts, or retains the ability to upgrade their bridge contracts in the future to incorporate the required functionality. (See Bridge Contracts)
- Third-party team follows the standard to deploy their bridged USDC token contract. (See Token Deployment)
- If and when a joint decision is made by the third-party team and Circle to securely transfer ownership of the bridged USDC token contract to Circle and perform an upgrade to native USDC, the following will take place:
- Third-party team will pause bridging activity and reconcile in-flight bridging activity to harmonize the total supply of native USDC locked on the origin chain with the total supply of bridged USDC on the destination chain.
- Third-party team will securely re-assign the contract roles of the bridged USDC token contract to Circle.
- Circle and the third-party team will jointly coordinate to burn the supply of native USDC locked in the bridge contract on the origin chain and upgrade the bridged USDC token contract on the destination chain to native USDC.
- The native USDC token contract seamlessly retains the existing supply, holders, and app integrations of the original bridged USDC token contract.
The third-party team’s bridge contracts play an integral role in the process, and must be upgradable in order to add the following functionality, which is required to support the upgrade process.
- (Source and destination blockchains) Ability to pause USDC bridging to create a lock on the supply.
- (Source blockchain) Ability to burn locked USDC.
Circle recommends deferring adding this functionality to a later time through a contract upgrade after Circle and the third-party team have jointly agreed to proceed with an upgrade.
The bridges must be able to support a USDC supply lock, whereby the USDC locked on the source blockchain will (at some point soon after) precisely match the circulating bridged USDC supply on the destination blockchain. How this is implemented is up to the third-party team, but this functionality must be present before an upgrade can take place.
A final step during the upgrade is to burn locked USDC in the source blockchain bridge contract. To support this, Circle will temporarily assign the bridge contract holding the USDC balance the role of a zero-allowance USDC minter. This means that the bridge may burn its own held balance but not mint new supply.
To execute the burn, the bridge contract must expose a single function, only callable by a Circle-controlled account. The signature of this function will be:
function burnLockedUSDC() external;
The specific implementation details are left up to the third-party team, but at a minimum, the function must:
- Be only callable by an address that Circle specifies closer to the time of the upgrade.
- Burn the amount of USDC held by the bridge that corresponds precisely to the circulating total supply of bridged USDC established by the supply lock.
The third-party team’s bridged USDC token contract is expected to be identical to native USDC token contracts on other EVM blockchains. USDC uses a proxy pattern, so the standard applies to both the implementation contract code and the token proxy.
Using identical code facilitates trustless contract verification by Circle and supports a seamless integration with existing USDC services. To facilitate this, the third-party team may choose one of the following:
- Copy previously deployed bytecode from a recent, native USDC token contract deployment (both proxy and implementation) on an EVM blockchain, for example Arbitrum, Base, OP Mainnet, or Polygon PoS. Note that you must supply different constructor and initializer parameters where needed.
- For EURC, please reference the bytecode from the Ethereum implementation
- Build the FiatToken contracts from source. In this case, the compiler metadata must be published or made available to support full contract verification. Various suggested compiler settings that Circle uses can be found here, which will allow the third-party team to reach the same bytecode if followed consistently.
Circle has recommended naming guidelines for the Token Name and Token Symbol attributes of a bridged USDC or EURC token contract that third-party teams are encouraged to follow. It is often the case that USDC and EURC are bridged from Ethereum to a new destination blockchain, and as such, the following is commonly used:
USDC
- Token Name: Bridged USDC (Third-Party Team)
- Token Symbol: USDC.e
EURC
- Token Name: Bridged EURC (Third-Party Team)
- Token Symbol: EURC.e
Note that the text shown in parentheses above would be the third-party team’s company name.
- Once deployed, the bridged token contract must not be upgraded to a new or different implementation at any time, outside of subsequent FiatToken versions authored by Circle.
- FiatToken has a number of one-time use initialization functions (listed below) that are not permissioned, and therefore should be called during contract deployment.
- Due to the proxy pattern used by FiatToken, after (or while) specifying the current implementation that the proxy points to, these initialization functions must be called to set the values correctly on the proxy's storage. If not, then any caller could invoke them in the future.
- It is also recommended to call these functions directly on the implementation contract itself, separately from the proxy, to disallow any outside caller invoking them later. At the timing of writing, these initialization functions include:
There are a number of reference deployment scripts in the repository that demonstrate patterns for deploying USDC/EURC and configuring the implementation. For instance, there’s an upgrader pattern, where a smart contract sets the FiatToken implementation contract and calls the initialize functions within a single transaction.
FiatToken uses a minter pattern, where minters can be configured via a master minter role to mint up to an allowed amount. One way to adapt the minter pattern to a bridged USDC or EURC token contract is to configure the destination bridge as a solo minter.
The individual FiatToken roles (Owner, Pauser, Blacklister, MasterMinter) could also be assigned to the bridge, or some other upgradeable contract, as long as there's the ability to add a hook in the future to enable transferring the roles to Circle.
If you would like more flexibility with permissioned minter configurations, you may want to explore the Controller and MinterController
contracts, which come together to form the MasterMinter
pattern.
Transferring the roles to Circle
There are several USDC roles that will be transferred to a Circle-owned address at the time of the upgrade. Specifically these are:
- Implementation Owner: defined in the implementation contract, the Owner can re-assign all other roles (Owner, MasterMinter, Pauser, Rescuer, Blacklister).
- ProxyAdmin: defined in the proxy contract, the ProxyAdmin can re-assign the ProxyAdmin and perform upgrades. By default, the proxy admin is not allowed to call any functions defined by the implementation contract.
It is up to the third-party team as to how they will secure and manage these roles as part of their original bridged USDC deployment and its ongoing use before a potential upgrade. For instance, the roles could be assigned to a secure multi-sig, or assigned to a smart contract (like the bridge), which can simplify the role transfer process.
Some teams have opted to assign the ProxyAdmin role to a secure EOA / multi-sig wallet and assign the USDC roles to the bridge contract itself.
If they are assigned to a smart contract, the contract must expose a function that Circle can call through a smart contract interaction to perform the role transfer at upgrade time. Automating this interaction can reduce manual errors and can enable atomic before and after checks that facilitate a smooth transfer.
This function must have the following signature:
function transferUSDCRoles(address owner) external;
The function implementation details are left up to the partner, but it must: 1) only be callable by a Circle-owned address and 2) transfer the Implementation Owner role and the ProxyAdmin role to the function caller (if both are assigned to the bridge).
Additionally, the partner is expected to remove all configured minters prior to (or concurrently with) transferring the roles to Circle.
Please reach out on our Discord if you have questions that were not addressed in this document. We value feedback and suggestions from the community to improve our documentation.
- Bridged USDC Standard grants Circle the option, but not the obligation, to obtain ownership of the token contract and upgrade to native USDC. Additionally, Bridged USDC Standard must be incorporated prior to deploying a bridged USDC token contract as it cannot be retroactively applied. The requirements provided are for informational purposes only and will apply should Circle choose to upgrade a particular form of bridged USDC to native USDC. These requirements do not constitute an offer to upgrade a particular form of bridged USDC. Circle’s decision to upgrade a particular form of bridged USDC to native USDC may be subject to additional terms and conditions. As noted in Section 8 of the USDC Terms of Use, bridged forms of USDC are subject to certain risks and are not issued by Circle. The same conditions apply to EURC.
- The target blockchain will undergo Circle’s internal Blockchain Due Diligence Process. That process involves reviews for both compliance and risk factors, as well as coverage for legal and technology risks, prior to approval. The diligence focuses on crypto and blockchain nuances, and an assessment of the strategic, financial, operational, technology, legal, and regulatory risks that are present.