near · pityjllk · Jan 23, 2026 · Jan 23, 2026 · coderabbitai · Jan 23, 2026
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,10 @@
+# cargo-audit configuration
+# https://docs.rs/cargo-audit/latest/cargo_audit/config/
+
+[advisories]
+# Ignore the lru unsound advisory - it comes from near-vm-runner which is
+# locked to lru ^0.12.3 and cannot be updated to the fixed 0.16.3 version.
+# The advisory relates to IterMut's Stacked Borrows violation, which does
+# not affect our usage as we don't use IterMut directly.
+# Tracked: https://github.com/near/nearcore/issues/XXXXX (upstream)
+ignore = ["RUSTSEC-2026-0002"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -147,7 +147,7 @@ jobs:
       - name: Run Tests
         env:
           DEFUSE_MIGRATE_FROM_LEGACY: "true"
-        run: cargo make run-tests -- --show-output
+        run: cargo make run-tests-long -- --show-output
 
   security_audit_report:
     name: Security Audit - report
@@ -162,7 +162,8 @@ jobs:
         with:
           cache: false
       - name: Install cargo-audit
-        run: cargo install cargo-audit --version "^0.21" --locked
+        # Require 0.22+ for CVSS 4.0 support (advisory-db now contains CVSS 4.0 entries)
+        run: cargo install cargo-audit --version "^0.22" --locked
       - uses: rustsec/audit-check@v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Makefile.toml b/Makefile.toml
@@ -208,6 +208,10 @@ run_task = "run-tests"
 command = "cargo"
 args = ["test", "--workspace", "--all-targets", "${@}"]
 
+[tasks.run-tests-long]
+command = "cargo"
+args = ["test", "--workspace", "--all-targets", "--features=long", "${@}"]
+
 # ============================================================================
 # Cleanup tasks
 # ============================================================================

diff --git a/defuse/src/contract/tokens/mod.rs b/defuse/src/contract/tokens/mod.rs
@@ -4,7 +4,7 @@ mod nep245;
 
 use super::Contract;
 use defuse_core::{DefuseError, Result, token_id::TokenId};
-use defuse_near_utils::{Lock, UnwrapOrPanic};
+use defuse_near_utils::{Lock, REFUND_MEMO, UnwrapOrPanic};
 use defuse_nep245::{MtBurnEvent, MtEvent, MtMintEvent};
 use itertools::{Either, Itertools};
 use near_sdk::{AccountId, AccountIdRef, Gas, env, json_types::U128, serde_json};
@@ -162,7 +162,7 @@ impl Contract {
             authorized_id: None,
             token_ids: Vec::with_capacity(tokens_count).into(),
             amounts: Vec::with_capacity(tokens_count).into(),
-            memo: Some("refund".into()),
+            memo: Some(REFUND_MEMO.into()),
         };
 
         let Some(receiver) = self

diff --git a/defuse/src/contract/tokens/nep141/withdraw.rs b/defuse/src/contract/tokens/nep141/withdraw.rs
@@ -9,7 +9,7 @@ use defuse_core::{
     DefuseError, Result, engine::StateView, intents::tokens::FtWithdraw,
     token_id::nep141::Nep141TokenId,
 };
-use defuse_near_utils::UnwrapOrPanic;
+use defuse_near_utils::{REFUND_MEMO, UnwrapOrPanic};
 use defuse_wnear::{NEAR_WITHDRAW_GAS, ext_wnear};
 use near_contract_standards::{
     fungible_token::core::ext_ft_core, storage_management::ext_storage_management,
@@ -188,7 +188,7 @@ impl FungibleTokenWithdrawResolver for Contract {
             self.deposit(
                 sender_id,
                 [(Nep141TokenId::new(token).into(), refund)],
-                Some("refund"),
+                Some(REFUND_MEMO),
             )
             .unwrap_or_panic();
         }

diff --git a/defuse/src/contract/tokens/nep171/withdraw.rs b/defuse/src/contract/tokens/nep171/withdraw.rs
@@ -11,7 +11,7 @@ use defuse_core::{
     intents::tokens::NftWithdraw,
     token_id::{nep141::Nep141TokenId, nep171::Nep171TokenId},
 };
-use defuse_near_utils::UnwrapOrPanic;
+use defuse_near_utils::{REFUND_MEMO, UnwrapOrPanic};
 use defuse_wnear::{NEAR_WITHDRAW_GAS, ext_wnear};
 use near_contract_standards::{
     non_fungible_token::{self, core::ext_nft_core},
@@ -187,7 +187,7 @@ impl NonFungibleTokenWithdrawResolver for Contract {
             self.deposit(
                 sender_id,
                 [(Nep171TokenId::new(token, token_id).into(), 1)],
-                Some("refund"),
+                Some(REFUND_MEMO),
             )
             .unwrap_or_panic();
         }

diff --git a/defuse/src/contract/tokens/nep245/core.rs b/defuse/src/contract/tokens/nep245/core.rs
@@ -3,7 +3,9 @@ use defuse_core::{
     DefuseError, Result, engine::StateView, intents::tokens::NotifyOnTransfer, token_id::TokenId,
 };
 use defuse_near_utils::{UnwrapOrPanic, UnwrapOrPanicError};
-use defuse_nep245::{MtEvent, MtTransferEvent, MultiTokenCore, receiver::ext_mt_receiver};
+use defuse_nep245::{
+    EmitChecked, MtEvent, MtTransferEvent, MultiTokenCore, receiver::ext_mt_receiver,
+};
 use near_plugins::{Pausable, pause};
 use near_sdk::{
     AccountId, AccountIdRef, Gas, NearToken, Promise, PromiseOrValue, assert_one_yocto, env,
@@ -209,7 +211,8 @@ impl Contract {
             .as_slice()
             .into(),
         )
-        .emit();
+        .emit_with_refund_log_checked()
+        .unwrap_or_panic();
 
         Ok(())
     }

diff --git a/defuse/src/contract/tokens/nep245/resolver.rs b/defuse/src/contract/tokens/nep245/resolver.rs
@@ -1,6 +1,6 @@
 use std::borrow::Cow;
 
-use defuse_near_utils::{Lock, UnwrapOrPanic, UnwrapOrPanicError};
+use defuse_near_utils::{Lock, REFUND_MEMO, UnwrapOrPanic, UnwrapOrPanicError};
 use defuse_nep245::{
     ClearedApproval, MtEventEmit, MtTransferEvent, TokenId, resolver::MultiTokenResolver,
 };
@@ -109,7 +109,7 @@ impl MultiTokenResolver for Contract {
                     new_owner_id: Cow::Borrowed(&sender_id),
                     token_ids: refunded_token_ids.into(),
                     amounts: refunded_amounts.into(),
-                    memo: Some("refund".into()),
+                    memo: Some(REFUND_MEMO.into()),
                 }]
                 .as_slice(),
             )

diff --git a/defuse/src/contract/tokens/nep245/withdraw.rs b/defuse/src/contract/tokens/nep245/withdraw.rs
@@ -12,7 +12,7 @@ use defuse_core::{
     intents::tokens::MtWithdraw,
     token_id::{nep141::Nep141TokenId, nep245::Nep245TokenId},
 };
-use defuse_near_utils::{UnwrapOrPanic, UnwrapOrPanicError};
+use defuse_near_utils::{REFUND_MEMO, UnwrapOrPanic, UnwrapOrPanicError};
 use defuse_nep245::ext_mt_core;
 use defuse_wnear::{NEAR_WITHDRAW_GAS, ext_wnear};
 use near_contract_standards::storage_management::ext_storage_management;
@@ -253,7 +253,7 @@ impl MultiTokenWithdrawResolver for Contract {
                         None
                     }
                 }),
-            Some("refund"),
+            Some(REFUND_MEMO),
         )
         .unwrap_or_panic();
 

diff --git a/near-utils/src/event.rs b/near-utils/src/event.rs
@@ -1,3 +1,10 @@
+/// Maximum length of a single log entry in NEAR runtime.
+/// See: <https://github.com/near/nearcore/blob/v2.5.0/runtime/near-vm-runner/src/logic/logic.rs#L42>
+pub const TOTAL_LOG_LENGTH_LIMIT: usize = 16384;
+
+/// Memo used for refund events.
+pub const REFUND_MEMO: &str = "refund";
+
 pub trait NearSdkLog {
     fn to_near_sdk_log(&self) -> String;
 }
diff --git a/near-utils/src/lib.rs b/near-utils/src/lib.rs
@@ -1,7 +1,7 @@
 #[cfg(feature = "digest")]
 pub mod digest;
 mod event;
-pub use event::NearSdkLog;
+pub use event::{NearSdkLog, REFUND_MEMO, TOTAL_LOG_LENGTH_LIMIT};
 mod gas;
 mod lock;
 mod panic;

diff --git a/nep245/Cargo.toml b/nep245/Cargo.toml
@@ -9,6 +9,10 @@ repository.workspace = true
 derive_more = { workspace = true, features = ["from"] }
 near-sdk.workspace = true
 defuse-near-utils.workspace = true
+thiserror.workspace = true
+
+[dev-dependencies]
+near-sdk = { workspace = true, features = ["unit-testing"] }
 
 [lints]
 workspace = true