Upgrades

V1 was leaking the TTT FeeSplitter 30% holder share. The proxy had no code path to claim it, so accrued rewards transferred to NFT buyers on every sale. V1.1 captures it. Plus six smaller operational fixes.

Initial design, Option B pivot after re-reading TTT whitepaper §8, inventory audit, post-deploy verification. Final verdict: bytecode matches reviewed source, all V1 state preserved across upgrade, inventory storage coherent, no surprise drains.

what shipped

• claimHolderRewards(): permissionless FeeSplitter claim
  Anyone can call claimHolderRewards(tokenIds). Caller gets min(received × 1%, syncReward) as a bounty; the remainder routes to ethToTwap (the buyback bucket). Fixes V1's active reward leak.
• pendingHolderRewards(): total pending across held NFTs
  Free RPC read. Iterates every TTT NFT the proxy holds and sums FeeSplitter.pending(tokenId). Surfaces the leak that V1 made invisible.
• Held-inventory tracking
  Contract maintains its own held-tokenIds array since TTT collection doesn't implement ERC721Enumerable. New view: heldTokenIds(), heldTokenCount(). Owner-only addHeldInventory() reconciles in case anyone donates an NFT via plain transferFrom (bypasses onERC721Received).
• buyTargetNFT + createSeaportListing restricted
  Both now require owner/manager. Closes the PNKSTR-class griefing vector where a random caller could drain currentFees into a predatorily-priced or compromised marketplace. Optional bounded keeperRefund (≤ 0.0005 ETH per call) self-funds the keeper.
• renounceOwnership disabled
  Overridden to revert. Removes the irreversible-footgun ability to permanently lose owner control. Multisig + freezeUpgrades remains the path to immutability.
• Tighter burn invariants
  setBurnConfig + setBurnReward + buyAndBurn now enforce minBurnThreshold > burnReward AND minBurnThreshold ≤ burnIncrement AND burnAmount > 0. Prevents zero-amount no-op forwards.
• setEnsName(string): proxy ENS reverse-resolution
  Owner-only call to ENS reverse registrar. Lets the proxy reverse-resolve to a human-readable name (e.g. burntoken.eth) on Etherscan and wallet UIs.

Initial launch. Strategy contract burned TTT NFT #9099, became the launcher of $BURN, started receiving 50% of $BURN swap fees as ETH. Buy-and-burn flywheel proven end-to-end same day.

what shipped

• Burn-to-launch
  burnTTTAndLaunch() burned the seed TTT NFT and activated $BURN. The proxy is recorded as the launcher in $BURN's bytecode permanently.
• buyTargetNFT: acquire TTT NFTs from marketplaces
  Was permissionless in V1 (later restricted in V1.1). Buys whitelisted-marketplace TTT NFTs using currentFees ETH, lists them on Seaport at a markup.
• buyAndBurn: TTT-native lock-as-burn (whitepaper §8)
  Permissionless. Forwards ETH to the $BURN contract's buyback reservoir. The TTT-native $BURN.buyback() then handles the V4 swap and locks the purchased $BURN at the $BURN contract address. 'Structurally inert, never distributed, never released' per whitepaper §8.
• syncOrderStatus + createSeaportListing: Seaport plumbing
  Permissionless settlement detection (paid syncReward bounty on success). Auto-list on Seaport when an NFT is acquired.
• Upgrade governance
  UUPS proxy. 90-day upgrade window, owner-only _authorizeUpgrade, freezeUpgrades() one-way switch, extendUpgradeDeadline() bounded extension. Designed so the operator can ship fixes early but the door closes hard.