Brickken Manual Review Findings

BRI-01M: Mismatch of Project Specification

Type	Severity	Location
Standard Conformity		Brickken.sol:L16, L17, L25, L40, L52

Description:

The project specification states that "It (the token) is mintable and burnable through Governance" yet no such restriction is imposed in the codebase as a fluid RBAC (Role Based Access Control) is utilized instead.

Example:

Copy
14constructor() ERC20("Brickken", "BKN") ERC20Permit("Brickken") {
15    _setupRole(DEFAULT_ADMIN_ROLE, msg.sender);
16    _setupRole(MINTER_ROLE, msg.sender);
17    _setupRole(BURNER_ROLE, msg.sender);
18}
19
20/**
21 * @dev Destroys `amount` tokens from the caller.
22 *
23 * See {ERC20-_burn}.
24 */
25function burn(uint256 amount) public onlyRole(BURNER_ROLE) {
26    _burn(_msgSender(), amount);
27}

Recommendation:

Should the governance implementation not be in place yet, we advise the documentation of the project to be updated to reflect this fact. Alternatively, we advise the role definition of the system to be overhauled combining the MINTER_ROLE and BURNER_ROLE definitions as well as overriding the grantRole function of the system to only assign the role once thus decentralizing the project.

Alleviation:

The Brickken team has stated that the idea behind the contract is to utilize the ADMIN_ROLE, BURNER_ROLE, and MINTER_ROLE as roles assigned to a DAO implementation at a later point in the project's lifetime. Additionally, they have stated that they will update their documentation as a future action.