near · mitinarseny · Jan 27, 2026 · Jan 7, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -71,7 +71,7 @@ jobs:
           save-if: ${{ github.ref == 'refs/heads/main' }}
           cache-all-crates: "true" # Yes, it's a string
       - name: Install Cargo Plugins
-        run: cargo install cargo-make cargo-near --locked
+        run: cargo install cargo-make cargo-near@0.17.0 --locked
       - name: Build
         run: cargo make build
       - name: Upload Artifacts
@@ -104,7 +104,7 @@ jobs:
           save-if: ${{ github.ref == 'refs/heads/main' }}
           cache-all-crates: "true" # Yes, it's a string
       - name: Install Cargo Plugins
-        run: cargo install cargo-make cargo-near --locked
+        run: cargo install cargo-make cargo-near@0.17.0 --locked
       - name: Build Reproducible WASM and calculate checksum
         run: cargo make build-reproducible
       - name: Upload Reproducible Artifacts
@@ -162,7 +162,7 @@ jobs:
         with:
           cache: false
       - name: Install cargo-audit
-        run: cargo install cargo-audit --version "^0.21" --locked
+        run: cargo install cargo-audit --version "^0.22" --locked
       - uses: rustsec/audit-check@v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -188,7 +188,8 @@ jobs:
       - name: Install Cargo Plugins
         run: cargo install cargo-audit --locked
       - name: Run security audit
-        run: cargo audit --deny unsound --deny yanked
+        # TODO: ignoring lru vulnerability in near-sdk, remove when fixed
+        run: cargo audit --deny unsound --deny yanked --ignore RUSTSEC-2026-0002
         # run: cargo audit --deny warnings  # Warnings include: unmaintained, unsound and yanked
 
   contract_analysis:

diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -24,6 +24,7 @@ defuse-token-id = { workspace = true, features = [
     "nep141",
     "nep171",
     "nep245",
+    "dip5"
 ] }
 defuse-ton-connect.workspace = true
 defuse-webauthn.workspace = true

diff --git a/core/src/engine/state/cached.rs b/core/src/engine/state/cached.rs
@@ -374,6 +374,16 @@ where
 
         Ok(())
     }
+
+    #[inline]
+    fn mt_mint(
+        &mut self,
+        owner_id: AccountId,
+        tokens: Amounts,
+        _memo: Option<String>,
+    ) -> Result<()> {
+        self.internal_add_balance(owner_id, tokens)
+    }
 }
 
 #[derive(Debug, Default)]

diff --git a/core/src/engine/state/deltas.rs b/core/src/engine/state/deltas.rs
@@ -213,6 +213,16 @@ where
     fn auth_call(&mut self, signer_id: &AccountIdRef, auth_call: AuthCall) -> Result<()> {
         self.state.auth_call(signer_id, auth_call)
     }
+
+    #[inline]
+    fn mt_mint(
+        &mut self,
+        owner_id: AccountId,
+        tokens: Amounts,
+        memo: Option<String>,
+    ) -> Result<()> {
+        self.state.mt_mint(owner_id, tokens, memo)
+    }
 }
 
 /// Accumulates internal deposits and withdrawals on different tokens

diff --git a/core/src/engine/state/mod.rs b/core/src/engine/state/mod.rs
@@ -127,4 +127,7 @@ pub trait State: StateView {
     fn set_auth_by_predecessor_id(&mut self, account_id: AccountId, enable: bool) -> Result<bool>;
 
     fn auth_call(&mut self, signer_id: &AccountIdRef, auth_call: AuthCall) -> Result<()>;
+
+    fn mt_mint(&mut self, owner_id: AccountId, tokens: Amounts, memo: Option<String>)
+    -> Result<()>;
 }
diff --git a/core/src/events.rs b/core/src/events.rs
@@ -10,7 +10,7 @@ use crate::{
         IntentEvent,
         account::SetAuthByPredecessorId,
         token_diff::TokenDiffEvent,
-        tokens::{FtWithdraw, MtWithdraw, NativeWithdraw, NftWithdraw, StorageDeposit},
+        tokens::{FtWithdraw, MtMint, MtWithdraw, NativeWithdraw, NftWithdraw, StorageDeposit},
     },
 };
 
@@ -54,6 +54,9 @@ pub enum DefuseEvent<'a> {
     #[event_version("0.3.0")]
     StorageDeposit(Cow<'a, [IntentEvent<AccountEvent<'a, Cow<'a, StorageDeposit>>>]>),
 
+    #[event_version("0.3.0")]
+    MtMint(Cow<'a, [IntentEvent<AccountEvent<'a, Cow<'a, MtMint>>>]>),
+
     #[event_version("0.3.0")]
     #[from(skip)]
     AccountLocked(AccountEvent<'a, ()>),

diff --git a/core/src/intents/mod.rs b/core/src/intents/mod.rs
@@ -12,7 +12,7 @@ use tokens::{NativeWithdraw, StorageDeposit};
 use crate::{
     Result,
     engine::{Engine, Inspector, State},
-    intents::{account::SetAuthByPredecessorId, auth::AuthCall},
+    intents::{account::SetAuthByPredecessorId, auth::AuthCall, tokens::MtMint},
 };
 
 use self::{
@@ -68,6 +68,9 @@ pub enum Intent {
 
     /// See [`AuthCall`]
     AuthCall(AuthCall),
+
+    // See [`MtMint`]
+    MtMint(MtMint),
 }
 
 pub trait ExecutableIntent {
@@ -125,6 +128,7 @@ impl ExecutableIntent for Intent {
                 intent.execute_intent(signer_id, engine, intent_hash)
             }
             Self::AuthCall(intent) => intent.execute_intent(signer_id, engine, intent_hash),
+            Self::MtMint(intent) => intent.execute_intent(signer_id, engine, intent_hash),
         }
     }
 }

diff --git a/core/src/intents/token_diff.rs b/core/src/intents/token_diff.rs
@@ -207,8 +207,8 @@ impl TokenDiff {
             TokenIdType::Nep141 => {}
             TokenIdType::Nep245 if amount > 1 => {}
 
-            // do not take fees on NFTs and MTs with |delta| <= 1
-            TokenIdType::Nep171 | TokenIdType::Nep245 => return Pips::ZERO,
+            // do not take fees on NFTs, Dip5 tokens and MTs with |delta| <= 1
+            TokenIdType::Nep171 | TokenIdType::Nep245 | TokenIdType::Dip5 => return Pips::ZERO,
         }
         fee
     }

diff --git a/core/src/intents/tokens.rs b/core/src/intents/tokens.rs
@@ -1,5 +1,6 @@
 use std::{borrow::Cow, collections::BTreeMap};
 
+use defuse_token_id::nep245::Nep245TokenId;
 use near_contract_standards::non_fungible_token;
 use near_sdk::{
     AccountId, AccountIdRef, CryptoHash, Gas, NearToken, json_types::U128, near,
@@ -39,6 +40,9 @@ pub struct NotifyOnTransfer {
 }
 
 impl NotifyOnTransfer {
+    pub const MT_ON_TRANSFER_GAS_MIN: Gas = Gas::from_tgas(5);
+    pub const MT_ON_TRANSFER_GAS_DEFAULT: Gas = Gas::from_tgas(30);
+
     pub const fn new(msg: String) -> Self {
         Self {
             state_init: None,
@@ -79,11 +83,6 @@ pub struct Transfer {
     pub notification: Option<NotifyOnTransfer>,
 }
 
-impl Transfer {
-    pub const MT_ON_TRANSFER_GAS_MIN: Gas = Gas::from_tgas(5);
-    pub const MT_ON_TRANSFER_GAS_DEFAULT: Gas = Gas::from_tgas(30);
-}
-
 impl ExecutableIntent for Transfer {
     fn execute_intent<S, I>(
         self,
@@ -123,13 +122,7 @@ impl ExecutableIntent for Transfer {
             .state
             .internal_add_balance(self.receiver_id.clone(), self.tokens.clone())?;
 
-        if let Some(mut notification) = self.notification {
-            notification.min_gas = Some(
-                notification
-                    .min_gas
-                    .unwrap_or(Self::MT_ON_TRANSFER_GAS_DEFAULT)
-                    .max(Self::MT_ON_TRANSFER_GAS_MIN),
-            );
+        if let Some(notification) = self.notification {
             engine
                 .state
                 .notify_on_transfer(sender_id, self.receiver_id, self.tokens, notification);
@@ -516,3 +509,71 @@ impl ExecutableIntent for StorageDeposit {
         engine.state.storage_deposit(owner_id, self)
     }
 }
+
+#[near(serializers = [borsh, json])]
+#[derive(Debug, Clone)]
+/// Mint a set of tokens from the signer to a specified account id, within the intents contract.
+pub struct MtMint {
+    pub receiver_id: AccountId,
+
+    #[serde_as(as = "Amounts<BTreeMap<_, DisplayFromStr>>")]
+    pub tokens: Amounts,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub memo: Option<String>,
+
+    /// Optionally notify receiver_id via `mt_on_transfer()`
+    ///
+    /// NOTE: `min_gas` is adjusted with following values:
+    /// * default: 30TGas
+    /// * minimum: 5TGas
+    #[serde(flatten, default, skip_serializing_if = "Option::is_none")]
+    pub notification: Option<NotifyOnTransfer>,
+}
+
+impl ExecutableIntent for MtMint {
+    #[inline]
+    fn execute_intent<S, I>(
+        mut self,
+        owner_id: &AccountIdRef,
+        engine: &mut Engine<S, I>,
+        intent_hash: CryptoHash,
+    ) -> Result<()>
+    where
+        S: State,
+        I: Inspector,
+    {
+        self.tokens = Amounts::new(
+            self.tokens
+                .iter()
+                .map(|(token_id, amount)| {
+                    let token = Nep245TokenId::new(owner_id, token_id.to_string());
+                    (token.into(), *amount)
+                })
+                .collect::<BTreeMap<_, _>>(),
+        );
+
+        engine.inspector.on_event(DefuseEvent::MtMint(Cow::Borrowed(
+            [IntentEvent::new(
+                AccountEvent::new(owner_id, Cow::Borrowed(&self)),
+                intent_hash,
+            )]
+            .as_slice(),
+        )));
+
+        engine
+            .state
+            .mt_mint(self.receiver_id.clone(), self.tokens.clone(), self.memo)?;
+
+        if let Some(notification) = self.notification {
+            engine.state.notify_on_transfer(
+                owner_id,
+                self.receiver_id,
+                self.tokens.clone(),
+                notification,
+            );
+        }
+
+        Ok(())
+    }
+}
diff --git a/defuse/src/accounts.rs b/defuse/src/accounts.rs
@@ -1,4 +1,4 @@
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet};
 
 use defuse_core::{Nonce, crypto::PublicKey};
 use defuse_serde_utils::base64::AsBase64;
@@ -82,4 +82,15 @@ pub trait ForceAccountManager: AccessControllable {
     ///
     /// NOTE: MUST attach 1 yⓃ for security purposes.
     fn force_enable_auth_by_predecessor_ids(&mut self, account_ids: Vec<AccountId>);
+
+    /// Registers or re-activates `public_key` under the user account_id.
+    ///
+    /// NOTE: MUST attach 1 yⓃ for security purposes.
+    fn force_add_public_keys(&mut self, public_keys: HashMap<AccountId, HashSet<PublicKey>>);
+
+    /// Deactivate `public_key` from the user account_id,
+    /// i.e. this key can't be used to make any actions unless it's re-created.
+    ///
+    /// NOTE: MUST attach 1 yⓃ for security purposes.
+    fn force_remove_public_keys(&mut self, public_keys: HashMap<AccountId, HashSet<PublicKey>>);
 }
diff --git a/defuse/src/contract/accounts/force.rs b/defuse/src/contract/accounts/force.rs
@@ -1,5 +1,8 @@
+use std::collections::{HashMap, HashSet};
+
 use defuse_core::{
-    DefuseError, Result, accounts::AccountEvent, engine::StateView, events::DefuseEvent,
+    DefuseError, Result, accounts::AccountEvent, crypto::PublicKey, engine::StateView,
+    events::DefuseEvent,
 };
 use defuse_near_utils::Lock;
 use near_plugins::{AccessControllable, access_control_any};
@@ -16,7 +19,11 @@ impl ForceAccountManager for Contract {
         StateView::is_account_locked(self, account_id)
     }
 
-    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountLocker))]
+    #[access_control_any(roles(
+        Role::DAO,
+        Role::UnrestrictedAccountLocker,
+        Role::UnrestrictedAccountManager
+    ))]
     #[payable]
     fn force_lock_account(&mut self, account_id: AccountId) -> bool {
         assert_one_yocto();
@@ -31,7 +38,11 @@ impl ForceAccountManager for Contract {
         locked
     }
 
-    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountUnlocker))]
+    #[access_control_any(roles(
+        Role::DAO,
+        Role::UnrestrictedAccountUnlocker,
+        Role::UnrestrictedAccountManager
+    ))]
     #[payable]
     fn force_unlock_account(&mut self, account_id: &AccountId) -> bool {
         assert_one_yocto();
@@ -46,7 +57,11 @@ impl ForceAccountManager for Contract {
         unlocked
     }
 
-    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountLocker))]
+    #[access_control_any(roles(
+        Role::DAO,
+        Role::UnrestrictedAccountLocker,
+        Role::UnrestrictedAccountManager
+    ))]
     #[payable]
     fn force_disable_auth_by_predecessor_ids(&mut self, account_ids: Vec<AccountId>) {
         assert_one_yocto();
@@ -57,7 +72,11 @@ impl ForceAccountManager for Contract {
         }
     }
 
-    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountUnlocker))]
+    #[access_control_any(roles(
+        Role::DAO,
+        Role::UnrestrictedAccountUnlocker,
+        Role::UnrestrictedAccountManager
+    ))]
     #[payable]
     fn force_enable_auth_by_predecessor_ids(&mut self, account_ids: Vec<AccountId>) {
         assert_one_yocto();
@@ -67,6 +86,30 @@ impl ForceAccountManager for Contract {
             let _ = self.internal_set_auth_by_predecessor_id(&account_id, true, true);
         }
     }
+
+    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountManager))]
+    #[payable]
+    fn force_add_public_keys(&mut self, entries: HashMap<AccountId, HashSet<PublicKey>>) {
+        assert_one_yocto();
+
+        for (account_id, keys) in entries {
+            for public_key in keys {
+                self.add_public_key(account_id.as_ref(), public_key);
+            }
+        }
+    }
+
+    #[access_control_any(roles(Role::DAO, Role::UnrestrictedAccountManager))]
+    #[payable]
+    fn force_remove_public_keys(&mut self, entries: HashMap<AccountId, HashSet<PublicKey>>) {
+        assert_one_yocto();
+
+        for (account_id, keys) in entries {
+            for public_key in keys {
+                self.remove_public_key(account_id.as_ref(), public_key);
+            }
+        }
+    }
 }
 
 impl Contract {