OpenZeppelin Contracts contains Incorrect Calculation
Description
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ERC721Consecutive in OpenZeppelin Contracts fails to update balances for batch size 1, enabling balance overflow on subsequent transfers.
Root
Cause The ERC721Consecutive contract, part of OpenZeppelin Contracts, is designed for efficient batch minting of ERC721 tokens. However, when a batch has size 1 (i.e., a single token is minted), the internal balance update is skipped, leaving the recipient's balance unchanged. This bug exists in versions 4.8.0 and 4.8.1 [1][4].
Exploitation
The issue only manifests when minting with a batch of size 1. An attacker can receive a single token from such a mint and then transfer it. Because the recipient's balance was not incremented during minting, the transfer will decrease the balance below zero, causing an integer underflow. This underflow results in a very large balance being reported by balanceOf [1][3]. No special privileges are needed beyond being the recipient of such a mint.
Impact
An attacker can artificially inflate their balanceOf for the affected ERC721 token, potentially disrupting any application that relies on accurate balance tracking, such as marketplaces or governance mechanisms. However, the impact is limited to scenarios involving batch size 1, and the contract's overall integrity (e.g., token ownership) is not directly compromised [4].
Mitigation
The issue has been patched in version 4.8.2 of the @openzeppelin/contracts package. Users are strongly advised to upgrade to 4.8.2 or later. No workarounds are available for affected versions [1][4]. The fix is included in commit 167bf67ed3907f4a674043496019fa346cee7705 [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.8.0, < 4.8.2 | 4.8.2 |
@openzeppelin/contracts-upgradeablenpm | >= 4.8.0, < 4.8.2 | 4.8.2 |
Affected products
3- ghsa-coords2 versions
>= 4.8.0, < 4.8.2+ 1 more
- (no CPE)range: >= 4.8.0, < 4.8.2
- (no CPE)range: >= 4.8.0, < 4.8.2
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.8.0, < 4.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-878m-3g6q-594qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26488ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.