fix(protocol): add access control to BridgedERC20Base.burn (TKO-08 )

packages/protocol/contracts/tokenvault/BridgedERC20Base.sol

@@ -66,6 +66,7 @@ abstract contract BridgedERC20Base is EssentialContract, IBridgedERC20 {
 
     function burn(address account, uint256 amount) public nonReentrant whenNotPaused {
         if (migratingAddress != address(0) && !migratingInbound) {
+            if (msg.sender != account) revert BB_PERMISSION_DENIED();
             // Outbond migration
             emit MigratedTo(migratingAddress, account, amount);
             // Ask the new bridged token to mint token for the user.

packages/protocol/test/tokenvault/BridgedERC20.t.sol

@@ -88,8 +88,22 @@ contract TestBridgedERC20 is TaikoTest {
         vm.expectRevert();
         oldToken.mint(Bob, 10);
 
-        // 2. burning can be done by anyone
+        // 2. burning can NOT be done by anyone
         vm.prank(randAddress());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        // including the owners
+        vm.prank(oldToken.owner());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        vm.prank(newToken.owner());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        // but can be done by the token owner
+        vm.prank(Bob);
         oldToken.burn(Bob, 10);
         assertEq(oldToken.balanceOf(Bob), 90);
         assertEq(newToken.balanceOf(Bob), 210);