Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13bXB2LWMyanAtajJ4Z80XOg
ERC1155Supply vulnerability in OpenZeppelin Contracts
When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply
extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.
Impact
If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated.
Patches
A fix is included in version 4.3.3 of @openzeppelin/contracts
and @openzeppelin/contracts-upgradeable
.
Workarounds
If accurate supply is relevant, do not mint tokens to untrusted receivers.
Credits
The issue was identified and reported by @ChainSecurityAudits.
For more information
Read TotalSupply Inconsistency in ERC1155 NFT Tokens by @ChainSecurityAudits for a more detailed breakdown.
If you have any questions or comments about this advisory, email us at [email protected].
Permalink: https://github.com/advisories/GHSA-wmpv-c2jp-j2xgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13bXB2LWMyanAtajJ4Z80XOg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-wmpv-c2jp-j2xg
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-wmpv-c2jp-j2xg
- https://github.com/advisories/GHSA-wmpv-c2jp-j2xg
Blast Radius: 0.0
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 553,028 last month
Affected Version Ranges: >= 4.2.0, < 4.3.3
Fixed in: 4.3.3
All affected versions: 4.2.0, 4.3.0, 4.3.1, 4.3.2
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2
npm:@openzeppelin/contracts
Dependent packages: 3,207Dependent repositories: 34,743
Downloads: 1,490,141 last month
Affected Version Ranges: >= 4.2.0, < 4.3.3
Fixed in: 4.3.3
All affected versions: 4.2.0, 4.3.0, 4.3.1, 4.3.2
All unaffected versions: 2.3.0, 2.4.0, 2.5.0, 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2