Near protocol cross contract call permission

Question

Few naive questions here,

About the FunctionCall key, how does cross-contract permission works ?

context: Let's say I allow a FunctionCall key to some rogue contract, we set params allowance, receiver_id (contract id) and method_names (optional according to the docs so I guess if not specified it allows all contract methods).

So ok with this key the contract can't move my Near token on my behalf.

But can it moves some valuable FT on my behalf calling ft_transfer_call ? => according to the doc the standard/spec this function is declared as #payable and we need to attach one yoctoNEAR => So answer I guess is no, it can't move the FT on my behalf;; could anyone confirm this ? (but I guess I already have my answer on this, just confirming )

Assuming I answered right the question above, the real question is maybe:

How do I know the nep141 standard has been correctly implemented for a given FT ? Is there a way to automatically detect it ? Or do you have to try ft_transfer_call with no payment just to be sure ?

thanks in advance for your enlightment and for reading all this ^^

Answer 1

I'll convert my comment to an answer, but I'm not 100% sure about it. More accurate answers are more than welcome.

I think you can get a contract to transfer FT on your behalf (see docs). Attaching 1 yoctoNear is for security, it's not the amount sent (as you already know).

I don't think you can verify if a contract has been correctly implemented according to the standard, but I'm not sure. One way is to look at the source code, and also do tests to see if the contract adheres to the expected behavior. An FT contract should also not have any access keys on its account. The latter can be confirmed by checking if the contract is locked (e.g. from the near explorer.)