When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the "ERC1155Supply" extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation. Impact If a system relies on accurately reported supply, an attacker may be able to mint tokens and invoke that system after receiving the token balance but before the supply is updated. Patches A fix is included in version 4.3.3 of "@openzeppelin/contracts" and "@openzeppelin/contracts-upgradeable". Workarounds If accurate supply is relevant, do not mint tokens to untrusted receivers. Credits The issue was identified and reported by @ChainSecurityAudits. For more information Read "TotalSupply Inconsistency in ERC1155 NFT Tokens" (https://medium.com/chainsecurity/totalsupply-inconsistency-in-erc1155-nft-tokens-8f8e3b29f5aa) by @ChainSecurityAudits for a more detailed breakdown. If you have any questions or comments about this advisory, email us at security@openzeppelin.com.