NEST Token Facts

Integral to the game economy — bounded by a hard supply cap

NEST is not a fixed-supply memecoin. It is the reward and utility token of an active on-chain game. Minting is the mechanism by which the game distributes yield to players and stakers — it is intentional by design.

Currently the MINTER_ROLE is held by two bounded smart contracts: the verified YieldDistributor, which requires a valid off-chain EIP-712 signature before issuing any tokens, and the GameController, which mints only as a direct result of gameplay actions. Neither contract is an upgradeable proxy — their mint logic is fixed in bytecode and cannot be changed.

The admin can rotate which contracts hold MINTER_ROLE. This is necessary to support future protocol upgrades, such as replacing a distributor contract. Any such change is an on-chain transaction, publicly visible on BaseScan before it takes effect.

The hard ceiling is enforced by ERC20Capped in the token contract itself. The 21,000,000 NEST maximum supply cannot be changed by admin action, contract upgrade, or any other mechanism — it is set in the constructor and has no setter. Every mint call, from any address, reverts if it would push total supply past this cap.

Operational custody — transparent and bounded

The DEFAULT_ADMIN_ROLE is held by two protocol wallets. It is worth being specific about what this role can and cannot do.

It cannot: modify any user's token balance, transfer funds from user wallets, bypass or raise the 21M supply cap, or change the bytecode logic of any deployed contract.

It can: grant or revoke operational roles such as MINTER_ROLE (for example, to point to an upgraded distributor contract) or SIGNER_ROLE (for example, to rotate a compromised yield signer). On the GameController, it can update fee amounts, fee receivers, and upgrade success probabilities — all parameters necessary for game balance and protocol maintenance. On the YieldDistributor, it can adjust the burn and LP allocation percentages within a hard-coded maximum of 5% each.

The admin role is intentionally not renounced. Renouncing admin on a live protocol with active fee logic, yield flows, and emergency response requirements would permanently prevent any future fix — including the ability to respond to an exploit. The expected pattern for credibly neutral protocols at this stage is transparent admin with all changes on-chain, not renounced admin with frozen parameters.

Every admin action is an on-chain transaction with a public event log. Nothing can change silently.

Emergency defence — already used against real bot attacks

The NEST token implements ERC20Pausable. This is not a mechanism for rug-pulling or blocking sales — a paused token prevents all transfers, including purchases, meaning it cannot be used selectively against sellers.

The pause capability exists for one reason: coordinated bot attacks on the protocol have already happened. During free-mint events on the NEST NFT collection, the team detected and blocked two separate waves of automated wallet spam targeting the minting contract. The blacklist system in the app and the contract-level pause are the two tools that allowed the team to respond without user losses.

Pause is a last-resort emergency brake, not a routine operation. Its use would be visible immediately on-chain and in the app. The PAUSER_ROLE is held by the same admin wallets listed above — not by any automated system or third party.

For context: ERC20Pausable is a standard OpenZeppelin extension used by USDC, DAI, and most enterprise-grade token contracts precisely because the absence of an emergency stop is itself a security risk in adversarial environments.