GHSA-wmpv-c2jp-j2xg – @openzeppelin/contracts-upgradeable

Package

Manager: npm
Name: @openzeppelin/contracts-upgradeable
Vulnerable Version: >=4.2.0 <4.3.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

ERC1155Supply vulnerability in OpenZeppelin Contracts When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the `ERC1155Supply` extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation. ### Impact If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated. ### Patches A fix is included in version 4.3.3 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. ### Workarounds If accurate supply is relevant, do not mint tokens to untrusted receivers. ### Credits The issue was identified and reported by @ChainSecurityAudits. ### For more information Read [TotalSupply Inconsistency in ERC1155 NFT Tokens](https://medium.com/chainsecurity/totalsupply-inconsistency-in-erc1155-nft-tokens-8f8e3b29f5aa) by @ChainSecurityAudits for a more detailed breakdown. If you have any questions or comments about this advisory, email us at security@openzeppelin.com.

Metadata

Created: 2021-11-15T23:28:18Z
Modified: 2021-11-15T22:27:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-wmpv-c2jp-j2xg/GHSA-wmpv-c2jp-j2xg.json
CWE IDs: []
Alternative ID: N/A
Finding: F067
Auto approve: 1