Skip to content

ERC1155Supply vulnerability in OpenZeppelin Contracts

Low severity GitHub Reviewed Published Nov 15, 2021 in OpenZeppelin/openzeppelin-contracts • Updated Jan 9, 2023

Package

npm @openzeppelin/contracts (npm)

Affected versions

>= 4.2.0, < 4.3.3

Patched versions

4.3.3
npm @openzeppelin/contracts-upgradeable (npm)
>= 4.2.0, < 4.3.3
4.3.3

Description

When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.

Impact

If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated.

Patches

A fix is included in version 4.3.3 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

If accurate supply is relevant, do not mint tokens to untrusted receivers.

Credits

The issue was identified and reported by @ChainSecurityAudits.

For more information

Read TotalSupply Inconsistency in ERC1155 NFT Tokens by @ChainSecurityAudits for a more detailed breakdown.

If you have any questions or comments about this advisory, email us at security@openzeppelin.com.

References

Reviewed Nov 15, 2021
Published to the GitHub Advisory Database Nov 15, 2021
Last updated Jan 9, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-wmpv-c2jp-j2xg

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.