Forced feeCollector update during ownership transfer leads to potential fee misdirection

Both transferOwnership() and rotateToPublicKey() automatically overwrite feeCollector with the new owner address as a side effect of transferring ownership. There is no way to transfer ownership without also redirecting all protocol fees.

Vulnerable Scenario

1. The owner has feeCollector set to a dedicated fee-receiving address (e.g., a multisig or treasury).
2. The owner calls rotateToPublicKey() to rotate to the next key in the pre-rotation chain.
3. feeCollector is silently overwritten to latest.prerotatedKeyHash at line 754, before transferOwnership() overwrites it again at line 203.
4. All protocol fees now flow to the new owner address instead of the dedicated treasury.
5. The new owner must immediately call setFeeCollector() to restore the intended fee destination, creating a race window where fees can be misdirected.

Protocol fees are silently redirected to the new owner address on every ownership transfer or key rotation. If the new owner is not monitoring for this, fees accumulate in an unintended address. During the window between ownership transfer and a corrective setFeeCollector() call, any wrap/unwrap operations will send fees to the wrong destination.

Decouple the feeCollector update from ownership transfer. Remove feeCollector = newOwner from transferOwnership() and feeCollector = latest.prerotatedKeyHash from rotateToPublicKey(). If automatic fee redirection is desired, make it opt-in via a separate parameter or a dedicated function call after the transfer.

YadaCoin, Confirmed. Removed the feeCollector state variable entirely. Fees now flow directly to owner(), eliminating the forced overwrite issue.

Zealynx, Fixed. Confirmed the removal of feeCollector resolves the fee misdirection vector. Fresh deployment strategy addresses any storage layout concerns from the refactor.