Security model (#247)

* Security model

* Update spec.md

* Adds more minter details

spec.md

@@ -106,3 +106,56 @@ Features:
 The minter modules are designed with extensibility in mind in order to allow innovation around token distribution for artists. There are no mandated properties of a custom minter although we recommend all custom minters implement `BaseMinter`. This contains base functionality that allows for Pausability, Affiliate and platform fees, and IERC165 support.
 
 Additionally for NFTs based on the `SoundEditionV1` implementation, the edition owner needs to grant `MINTER_ROLE` permissions to the minter contract.
+
+## Security model
+
+This section describes, from a security perspective, the expected behavior of the system. 
+
+### Actors
+- **SoundFeeRegistry owner** - 
+    - The owner of the SoundFeeRegistry contract. 
+    - Can update the protocol fee and recipient address.
+- **SoundCreatorV1 owner** - 
+    - The owner of the SoundCreatorV1 contract. 
+    - Can change the SoundEdition implementation used by the edition proxies.
+- **SoundEditionV1 owner**: 
+    - The owner of the edition contract. 
+    - Can assign role privileges to other accounts (e.g. `ADMIN_ROLE`, `MINTER_ROLE`), mint and airdrop tokens directly from the edition, and set all the settable parameters on the edition and minter contracts.
+- **SoundEditionV1 admin**: 
+    - An account that has been granted `ADMIN_ROLE` by the edition owner. 
+    - They can perform all the edition-level actions that the owner can perform such as setting edition & minter contract parameters. 
+    - They cannot assign role privileges or change the owner.
+- **SoundEditionV1 funding recipient**: 
+    - An account assigned as `fundingRecipient` on the edition, enabling it to receive withdrawn ETH from the edition. 
+    - Only one account can be assigned as the funding recipient at a time.
+- **Minter**: 
+    - An account that has been granted `MINTER_ROLE` by the edition owner. 
+    - Can mint tokens from the edition contract.
+- **Affiliate**: 
+    - An account assigned by the edition owner or admin, that receives a portion of the primary sales. 
+    - It is set by passing an affiliate address to a minter contract's `mint` funtion.
+- **Buyer**: 
+    - An account that purchases a token from the edition contract. 
+    - The term "Buyer" is irrespective of price, as mint configurations can be set with price of zero.
+
+### Trust model
+No contracts in the prevailing Sound Protocol are upgradeable, therefore trust assumptions are minimized. However, given that the protocol is designed to be modular and permissionless, and is intended to give edition owners maximum flexibility, there are some important points to consider:
+- The `SoundEditionV1` owner and admins can change edition parameters after an edition has been deployed:
+    - `fundingRecipient` - Account that receives ETH withdrawn from the edition. The funding recipient can be set to a contract address, the security of which is not guaranteed by the Sound Protocol. However, in this case the trust assumptions are limited to the artist and any other parties with whom they are splitting revenue.
+    - `baseURI` - Location of the metadata of the edition, which can be changed if the metadata is not in a frozen state.
+    - `metadataModule` - Module used to override the default edition metadata functionality, which can be changed if the metadata is not in a frozen state.
+    - `royaltyBPS` - The royalty percentage paid to the funding recipient from secondary sales, used by marketplaces that support EIP-2981 royalties.
+    - `editionMaxMintableRange` - The values representing the mintable range can only be reduced and never increased.
+    - `cutoffTime` - This is a time threshold that is used to conditionally determine the maximum mintable quantity, and can be changed only if the minting hasn't concluded.
+    - `mintRandomness` - A random number generated with each mint & used for game mechanics like the Sound Golden Egg. It can only be enabled or disabled if no tokens have been minted.
+- The `SoundCreatorV1` can be set to a different edition implementation at any time, which may have different trust assumptions. Changing the edition implementation does not impact editions which have already been deployed.
+- The edition owner or admins can change the following paramters on the minter modules:
+    - Time values (`startTime`, `cutoffTime`, `endTime`)
+    - `paused` - Whether a given mint schedule is paused or not.
+    - `affiliateFeeBPS` - The affiliate fee percentage paid to the affiliate address from primary sales.
+    - `price` - The price of the token in ETH.
+    - `maxMintablePerAccount` - The maximum number of tokens that can be minted by a single account.
+    - The mintable quantity for a given mint schedule.
+    - `signer` - The signer address used to authorizing minting (only applies to `FixedPriceSignatureMinter`).
+    - `merkleRootHash` - The root hash of the merkle tree of accounts allowed to mint (only applies to `MerkleDropMinter`).
+- Minter or metadata modules deployed in the future may have different trust assumptions than existing minter contracts.