Incorrect Calculation

CVE-2023-26488

Medium

6.5/10

Summary

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by "balanceOf". The issue exclusively presents with batches of size 1. This issue affects @openzeppelin/contracts and @openzeppelin/contracts-upgradeable versions 4.8.0-rc.2 through 4.8.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-682 - Incorrect Calculation

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

References

Advisory
@openzeppelin/contracts
@openzeppelin/contracts-upgradeable

Advisory Timeline

Published Mar 03, 2023

Incorrect Calculation

CVE-2023-26488

Summary

CWE-682 - Incorrect Calculation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS