The Hacken 2025 Yearly Security ReportCovers major Web3 breaches, their root causes, prevention insights, and key regulatory trends for 2026.
Learn more

Vault Hill

Audit name:

[SCA] Vault Hill | ERC-1155 | Aug2022

Date:

Sep 19, 2022

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Vault Hill team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Vault Hill aims to create a metaverse called Vault Hill City (VHC) – a collection of virtual shared spaces, including the sum of all virtual worlds and the Internet.

titlecontent
PlatformEVM
LanguageSolidity
TagsERC-1151
Timeline29/08/2022 - 22/09/2022
Methodologyhttps://hackenio.cc/sc_methodology

    Review Scope

    Repositoryhttps://github.com/Vault-Hill/VHC1155
    Commitcc44701a9179cb9480a18b17aa93d9c4552700c3

    Audit Summary

    Total9.8/10
    Security Score

    10/10

    Test Coverage

    8/10

    Code Quality Score

    10/10

    Documentation Quality Score

    10/10

    5Total Findings
    4Resolved
    0Accepted
    1Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for Vault Hill
    Audited ByHacken
    Websitehttps://www.vaulthill.io
    Changelog31/08/2022 - Initial Review
    22/09/2022 - Second Review

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for Vault Hill
      Audited By
      Hacken
      Website
      https://www.vaulthill.io
      Changelog
      31/08/2022 - Initial Review
      22/09/2022 - Second Review

    System Overview

    Vault Hill aims to create a metaverse called Vault Hill City (VHC) – a collection of virtual shared spaces, including the sum of all virtual worlds and the Internet. In VHC, users can interact with computer-generated imagery (CGI) and other users. It consists of the following contracts:

    • VHC1155  — the contract that implements ERC1155 and ERC2981 standards. It allows users to mint tokens without limits.

    • ERC2981Base —  the contract used to add ERC2981 support to ERC-721 and ERC-1155.

    • ExposedVHC1155 - the contract that extends VHC1155 and allows to retrieve token owner by index.

    • ERC2981PerTokenRoyalties - the contract used to add ERC-2981 support to ERC-721 and ERC-1155, allowing for royalties to be set on a per token ID basis.

    Privileged roles

    • The owner of the VHC1155 contract can change token URIs.

    Executive Summary

    Documentation quality

    The total Documentation quality score is 10 out of 10.

    • Functional and technical requirements are provided and cover the scope of the audit.

    Code quality

    The total Code quality score is 10 out of 10.

    • Deployment and user interactions are covered with tests.

    • Test coverage is 96.43%.

    Architecture quality

    The Architecture quality score is 8 out of 10.

    • Code follows the single responsibility principle, well-formatted and organized.

    • It is recommended to use standardized interfaces from OpenZeppelin instead of copy-pasting them into the code.

    Security score

    Upon auditing, the code was found to contain 0 critical, 0 high, 1 medium, and 4 low severity issues. Out of these, 4 issues have been addressed and resolved, leading to a Security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the customer's smart contract yields an overall score of 9.8. This score reflects the combined evaluation of documentation, code quality, architecture quality, and security aspects of the project.

    Scoring Methodologyarrow right

    Risks

    No risks were found.

    Findings

    Code
    Title
    Status
    Severity
    F-2022-1802Invalid calculations
    mitigated

    Medium
    F-2022-1806Missing validation
    fixed

    Low
    F-2022-1805Duplicate code
    fixed

    Low
    F-2022-1804Public functions could be declared external
    fixed

    Low
    F-2022-1803Floating Pragma
    fixed

    Low
    1-5 of 5 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/Vault-Hill/VHC1155
    Commitcc44701a9179cb9480a18b17aa93d9c4552700c3
    WhitepaperProvided
    RequirementsProvided
    Technical RequirementsProvided

    Contracts in Scope

    interfaces
    IERC2981Royalties.sol - interfaces › IERC2981Royalties.sol
    contracts
    ERC2981Base.sol - contracts › ERC2981Base.sol
    ExposedVHC1155.sol - contracts › ExposedVHC1155.sol
    ERC2981PerTokenRoyalties.sol - contracts › ERC2981PerTokenRoyalties.sol
    VHC1155.sol - contracts › VHC1155.sol

    Disclaimer