feat: imt_mint/imt_burn intents

.github/workflows/ci.yml

@@ -162,7 +162,7 @@ jobs:
         with:
           cache: false
       - name: Install cargo-audit
-        run: cargo install cargo-audit --version "^0.21" --locked
+        run: cargo install cargo-audit --version "^0.22" --locked
       - uses: rustsec/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -188,7 +188,8 @@ jobs:
       - name: Install Cargo Plugins
         run: cargo install cargo-audit --locked
       - name: Run security audit
-        run: cargo audit --deny unsound --deny yanked
+        # TODO: ignoring lru vulnerability in near-sdk, remove when fixed
+        run: cargo audit --deny unsound --deny yanked --ignore RUSTSEC-2026-0002
         # run: cargo audit --deny warnings  # Warnings include: unmaintained, unsound and yanked
 
   contract_analysis:

Makefile.toml

@@ -40,7 +40,7 @@ args = [
     "--manifest-path",
     "./defuse/Cargo.toml",
     "--features",
-    "abi,contract",
+    "abi,contract,imt",
     "--out-dir",
     "${TARGET_DIR}",
     "--no-embed-abi",

core/Cargo.toml

@@ -55,6 +55,7 @@ arbitrary = [
     "defuse-token-id/arbitrary",
     "defuse-ton-connect/arbitrary",
 ]
+imt = ["defuse-token-id/imt"]
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 chrono = { workspace = true, features = ["now"] }

core/src/engine/state/cached.rs

@@ -374,6 +374,26 @@ where
 
         Ok(())
     }
+
+    #[inline]
+    fn mt_mint(
+        &mut self,
+        owner_id: AccountId,
+        tokens: Amounts,
+        _memo: Option<String>,
+    ) -> Result<()> {
+        self.internal_add_balance(owner_id, tokens)
+    }
+
+    #[inline]
+    fn mt_burn(
+        &mut self,
+        signer_id: &AccountIdRef,
+        tokens: Amounts,
+        _memo: Option<String>,
+    ) -> Result<()> {
+        self.internal_sub_balance(signer_id, tokens)
+    }
 }
 
 #[derive(Debug, Default)]

core/src/engine/state/deltas.rs

@@ -213,6 +213,26 @@ where
     fn auth_call(&mut self, signer_id: &AccountIdRef, auth_call: AuthCall) -> Result<()> {
         self.state.auth_call(signer_id, auth_call)
     }
+
+    #[inline]
+    fn mt_mint(
+        &mut self,
+        owner_id: AccountId,
+        tokens: Amounts,
+        memo: Option<String>,
+    ) -> Result<()> {
+        self.state.mt_mint(owner_id, tokens, memo)
+    }
+
+    #[inline]
+    fn mt_burn(
+        &mut self,
+        signer_id: &AccountIdRef,
+        tokens: Amounts,
+        memo: Option<String>,
+    ) -> Result<()> {
+        self.state.mt_burn(signer_id, tokens, memo)
+    }
 }
 
 /// Accumulates internal deposits and withdrawals on different tokens

core/src/engine/state/mod.rs

@@ -127,4 +127,14 @@ pub trait State: StateView {
     fn set_auth_by_predecessor_id(&mut self, account_id: AccountId, enable: bool) -> Result<bool>;
 
     fn auth_call(&mut self, signer_id: &AccountIdRef, auth_call: AuthCall) -> Result<()>;
+
+    fn mt_mint(&mut self, owner_id: AccountId, tokens: Amounts, memo: Option<String>)
+    -> Result<()>;
+
+    fn mt_burn(
+        &mut self,
+        signer_id: &AccountIdRef,
+        tokens: Amounts,
+        memo: Option<String>,
+    ) -> Result<()>;
 }

core/src/error.rs

@@ -75,4 +75,7 @@ pub enum DefuseError {
 
     #[error("maximum attempts to generate a new salt reached")]
     SaltGenerationFailed,
+
+    #[error("only IMT tokens can be burned")]
+    OnlyImtTokensCanBeBurned,
 }

core/src/events.rs

@@ -54,6 +54,13 @@ pub enum DefuseEvent<'a> {
     #[event_version("0.3.0")]
     StorageDeposit(Cow<'a, [IntentEvent<AccountEvent<'a, Cow<'a, StorageDeposit>>>]>),
 
+    #[event_version("0.3.0")]
+    #[cfg(feature = "imt")]
+    ImtMint(Cow<'a, [IntentEvent<AccountEvent<'a, Cow<'a, crate::intents::imt::ImtMint>>>]>),
+
+    #[event_version("0.3.0")]
+    #[cfg(feature = "imt")]
+    ImtBurn(Cow<'a, [IntentEvent<AccountEvent<'a, Cow<'a, crate::intents::imt::ImtBurn>>>]>),
     #[event_version("0.3.0")]
     #[from(skip)]
     AccountLocked(AccountEvent<'a, ()>),

core/src/intents/imt.rs

@@ -0,0 +1,142 @@
+use std::{borrow::Cow, collections::BTreeMap};
+
+use defuse_token_id::TokenId;
+use near_sdk::{AccountId, AccountIdRef, CryptoHash, near};
+use serde_with::{DisplayFromStr, serde_as};
+
+use crate::{
+    DefuseError, Result,
+    accounts::AccountEvent,
+    amounts::Amounts,
+    engine::{Engine, Inspector, State},
+    events::DefuseEvent,
+    intents::tokens::NotifyOnTransfer,
+};
+
+use super::{ExecutableIntent, IntentEvent};
+
+#[near(serializers = [borsh, json])]
+#[derive(Debug, Clone)]
+/// Mint a set of tokens from the signer to a specified account id, within the intents contract.
+pub struct ImtMint {
+    pub receiver_id: AccountId,
+
+    // The tokens transferred in this call will be wrapped
+    // in such a way as to bind the token ID to the minter authority.
+    // The final string representation of the token
+    // will be as follows: `imt:<minter_id>:<token_id>`
+    #[serde_as(as = "Amounts<BTreeMap<_, DisplayFromStr>>")]
+    pub tokens: ImtTokens,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub memo: Option<String>,
+
+    /// Optionally notify receiver_id via `mt_on_transfer()`
+    ///
+    /// NOTE: `min_gas` is adjusted with following values:
+    /// * default: 30TGas
+    /// * minimum: 5TGas
+    #[serde(flatten, default, skip_serializing_if = "Option::is_none")]
+    pub notification: Option<NotifyOnTransfer>,
+}
+
+impl ExecutableIntent for ImtMint {
+    #[inline]
+    fn execute_intent<S, I>(
+        self,
+        signer_id: &AccountIdRef,
+        engine: &mut Engine<S, I>,
+        intent_hash: CryptoHash,
+    ) -> Result<()>
+    where
+        S: State,
+        I: Inspector,
+    {
+        engine
+            .inspector
+            .on_event(DefuseEvent::ImtMint(Cow::Borrowed(
+                [IntentEvent::new(
+                    AccountEvent::new(signer_id, Cow::Borrowed(&self)),
+                    intent_hash,
+                )]
+                .as_slice(),
+            )));
+
+        let tokens = self.tokens.into_generic_tokens(signer_id);
+
+        engine
+            .state
+            .mt_mint(self.receiver_id.clone(), tokens.clone(), self.memo)?;
+
+        if let Some(notification) = self.notification {
+            engine
+                .state
+                .notify_on_transfer(signer_id, self.receiver_id, tokens, notification);
+        }
+
+        Ok(())
+    }
+}
+
+#[near(serializers = [borsh, json])]
+#[derive(Debug, Clone)]
+/// Burn a set of tokens minted by signer, within the intents contract.
+pub struct ImtBurn {
+    // The tokens burned in this call should be wrapped
+    // as Imt tokens bounded to the minter authority
+    // as follows: `imt:<minter_id>:<token_id>`
+    #[serde_as(as = "Amounts<BTreeMap<_, DisplayFromStr>>")]
+    pub tokens: Amounts,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub memo: Option<String>,
+}
+
+impl ExecutableIntent for ImtBurn {
+    #[inline]
+    fn execute_intent<S, I>(
+        self,
+        signer_id: &AccountIdRef,
+        engine: &mut Engine<S, I>,
+        intent_hash: CryptoHash,
+    ) -> Result<()>
+    where
+        S: State,
+        I: Inspector,
+    {
+        engine
+            .inspector
+            .on_event(DefuseEvent::ImtBurn(Cow::Borrowed(
+                [IntentEvent::new(
+                    AccountEvent::new(signer_id, Cow::Borrowed(&self)),
+                    intent_hash,
+                )]
+                .as_slice(),
+            )));
+
+        self.tokens
+            .iter()
+            .all(|(token, _)| matches!(token, TokenId::Imt(_)))
+            .then_some(())
+            .ok_or(DefuseError::OnlyImtTokensCanBeBurned)?;
+
+        engine.state.mt_burn(signer_id, self.tokens, self.memo)
+    }
+}
+
+pub type ImtTokens = Amounts<BTreeMap<defuse_nep245::TokenId, u128>>;
+
+impl ImtTokens {
+    fn into_generic_tokens(self, minter_id: &AccountIdRef) -> Amounts<BTreeMap<TokenId, u128>> {
+        Amounts::new(
+            self.iter()
+                .map(|(token_id, amount)| {
+                    let token =
+                        defuse_token_id::imt::ImtTokenId::new(minter_id, token_id.to_string())
+                            .into();
+                    (token, *amount)
+                })
+                .collect(),
+        )
+    }
+}

core/src/intents/mod.rs

@@ -1,5 +1,7 @@
 pub mod account;
 pub mod auth;
+#[cfg(feature = "imt")]
+pub mod imt;
 pub mod token_diff;
 pub mod tokens;
 
@@ -68,6 +70,14 @@ pub enum Intent {
 
     /// See [`AuthCall`]
     AuthCall(AuthCall),
+
+    // See [`ImtMint`]
+    #[cfg(feature = "imt")]
+    ImtMint(crate::intents::imt::ImtMint),
+
+    // See [`ImtBurn`]
+    #[cfg(feature = "imt")]
+    ImtBurn(crate::intents::imt::ImtBurn),
 }
 
 pub trait ExecutableIntent {
@@ -125,6 +135,10 @@ impl ExecutableIntent for Intent {
                 intent.execute_intent(signer_id, engine, intent_hash)
             }
             Self::AuthCall(intent) => intent.execute_intent(signer_id, engine, intent_hash),
+            #[cfg(feature = "imt")]
+            Self::ImtMint(intent) => intent.execute_intent(signer_id, engine, intent_hash),
+            #[cfg(feature = "imt")]
+            Self::ImtBurn(intent) => intent.execute_intent(signer_id, engine, intent_hash),
         }
     }
 }

core/src/intents/token_diff.rs

@@ -206,9 +206,12 @@ impl TokenDiff {
         match token_id {
             TokenIdType::Nep141 => {}
             TokenIdType::Nep245 if amount > 1 => {}
-
             // do not take fees on NFTs and MTs with |delta| <= 1
             TokenIdType::Nep171 | TokenIdType::Nep245 => return Pips::ZERO,
+            #[cfg(feature = "imt")]
+            TokenIdType::Imt if amount > 1 => {}
+            #[cfg(feature = "imt")]
+            TokenIdType::Imt => return Pips::ZERO,
         }
         fee
     }

core/src/intents/tokens.rs

@@ -39,6 +39,8 @@ pub struct NotifyOnTransfer {
 }
 
 impl NotifyOnTransfer {
+    pub const MT_ON_TRANSFER_GAS_MIN: Gas = Gas::from_tgas(5);
+
     pub const fn new(msg: String) -> Self {
         Self {
             state_init: None,
@@ -79,11 +81,6 @@ pub struct Transfer {
     pub notification: Option<NotifyOnTransfer>,
 }
 
-impl Transfer {
-    pub const MT_ON_TRANSFER_GAS_MIN: Gas = Gas::from_tgas(5);
-    pub const MT_ON_TRANSFER_GAS_DEFAULT: Gas = Gas::from_tgas(30);
-}
-
 impl ExecutableIntent for Transfer {
     fn execute_intent<S, I>(
         self,
@@ -123,13 +120,7 @@ impl ExecutableIntent for Transfer {
             .state
             .internal_add_balance(self.receiver_id.clone(), self.tokens.clone())?;
 
-        if let Some(mut notification) = self.notification {
-            notification.min_gas = Some(
-                notification
-                    .min_gas
-                    .unwrap_or(Self::MT_ON_TRANSFER_GAS_DEFAULT)
-                    .max(Self::MT_ON_TRANSFER_GAS_MIN),
-            );
+        if let Some(notification) = self.notification {
             engine
                 .state
                 .notify_on_transfer(sender_id, self.receiver_id, self.tokens, notification);

defuse/Cargo.toml

@@ -51,7 +51,7 @@ container_build_command = [
     "build",
     "non-reproducible-wasm",
     "--locked",
-    "--features=abi,contract",
+    "--features=abi,contract,imt",
     "--no-embed-abi",
 ]
 
@@ -72,6 +72,7 @@ sandbox = [
     "dep:defuse-sandbox",
     "dep:defuse-test-utils",
 ]
+imt = ["defuse-core/imt"]
 
 [dev-dependencies]
 defuse-core = { workspace = true, features = ["arbitrary"] }

defuse/src/accounts.rs

@@ -1,4 +1,4 @@
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 
 use defuse_core::{Nonce, crypto::PublicKey};
 use defuse_serde_utils::base64::AsBase64;
@@ -82,4 +82,15 @@ pub trait ForceAccountManager: AccessControllable {
     ///
     /// NOTE: MUST attach 1 yⓃ for security purposes.
     fn force_enable_auth_by_predecessor_ids(&mut self, account_ids: Vec<AccountId>);
+
+    /// Registers or re-activates `public_key` under the user account_id.
+    ///
+    /// NOTE: MUST attach 1 yⓃ for security purposes.
+    fn force_add_public_keys(&mut self, public_keys: HashMap<AccountId, HashSet<PublicKey>>);
+
+    /// Deactivate `public_key` from the user account_id,
+    /// i.e. this key can't be used to make any actions unless it's re-created.
+    ///
+    /// NOTE: MUST attach 1 yⓃ for security purposes.
+    fn force_remove_public_keys(&mut self, public_keys: HashMap<AccountId, HashSet<PublicKey>>);
 }