# Vulnerability Report ## Background Our project is allow user mint their near accounts to NFTs. Before mint an account we think it should satisfy these two rules: 1. This account should deploy our control contracts. 2. This account should delete all full access key. Then we mint this account to a NFT.  ## How attack happen 1. The attacker deploy a attack contract in attack.near. 2. The attacker create lots of cross contract call in attack.near, but the last action is add a full access key for attack.near. 3. The attacker come to mint attack.near into a NFT. 4. Namesky delete all attack.near's full access keys and deploy a control contract. 5. Namesky mint attack.near into a NFT. 6. The cross contract call finished, and mint a full access key for attack.near which controlled by attacker.  Check this receipt, that's an attack transaction made by ourself: https://explorer.testnet.near.org/transactions/5uvibmE9iXJAW916127EoAfD3A55tycTaVWKj3FUzapy ## How we defend We add other check that query latest block from indexer, and check if any receipt belong to the account.