GHSA-WMPV-C2JP-J2XG
Vulnerability from github – Published: 2021-11-15 23:28 – Updated: 2021-11-15 22:27When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.
Impact
If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated.
Patches
A fix is included in version 4.3.3 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.
Workarounds
If accurate supply is relevant, do not mint tokens to untrusted receivers.
Credits
The issue was identified and reported by @ChainSecurityAudits.
For more information
Read TotalSupply Inconsistency in ERC1155 NFT Tokens by @ChainSecurityAudits for a more detailed breakdown.
If you have any questions or comments about this advisory, email us at security@openzeppelin.com.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts-upgradeable"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-11-15T22:27:38Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the `ERC1155Supply` extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.\n\n### Impact\nIf a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated.\n\n### Patches\nA fix is included in version 4.3.3 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`.\n\n### Workarounds\nIf accurate supply is relevant, do not mint tokens to untrusted receivers.\n\n### Credits\nThe issue was identified and reported by @ChainSecurityAudits.\n\n### For more information\nRead [TotalSupply Inconsistency in ERC1155 NFT Tokens](https://medium.com/chainsecurity/totalsupply-inconsistency-in-erc1155-nft-tokens-8f8e3b29f5aa) by @ChainSecurityAudits for a more detailed breakdown.\n\nIf you have any questions or comments about this advisory, email us at security@openzeppelin.com.",
"id": "GHSA-wmpv-c2jp-j2xg",
"modified": "2021-11-15T22:27:38Z",
"published": "2021-11-15T23:28:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-wmpv-c2jp-j2xg"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ERC1155Supply vulnerability in OpenZeppelin Contracts"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.