Vulnerability Database

309,130

Total vulnerabilities in the database

ERC1155Supply vulnerability in OpenZeppelin Contracts

When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.

Impact

If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated.

Patches

A fix is included in version 4.3.3 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

If accurate supply is relevant, do not mint tokens to untrusted receivers.

Credits

The issue was identified and reported by @ChainSecurityAudits.

For more information

Read TotalSupply Inconsistency in ERC1155 NFT Tokens by @ChainSecurityAudits for a more detailed breakdown.

If you have any questions or comments about this advisory, email us at security@openzeppelin.com.

Published: Nov 15, 2021
Updated: Apr 14, 2023
GHSA: GHSA-wmpv-c2jp-j2xg
Severity: Low
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@openzeppelin / contracts	4.2.0	4.3.3
@openzeppelin / contracts-upgradeable	4.2.0	4.3.3

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-wmpv-c2jp-j2xg

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo