security: add prominent danger warning for eth_sign requests

src/background/index.js

@@ -441,6 +441,13 @@ async function handleRpc(method, params, origin) {
                 ? { method, message: params[0], from: params[1] }
                 : { method, message: params[1], from: params[0] };
 
+        if (method === "eth_sign") {
+            signParams.dangerWarning =
+                "\u26a0\ufe0f DANGER: This site is requesting to sign a raw hash. " +
+                "This can be used to sign transactions that drain your funds. " +
+                "Only proceed if you fully understand what you are signing.";
+        }
+
         const decision = await requestSignApproval(
             origin,
             hostname,

src/popup/index.html

@@ -1015,6 +1015,12 @@
                     wants you to sign a message.
                 </p>
 
+                <div
+                    id="approve-sign-danger-warning"
+                    class="hidden mb-3 p-2 text-xs font-bold"
+                    style="background: #fee2e2; color: #991b1b; border: 2px solid #dc2626; border-radius: 6px"
+                ></div>
+
                 <div class="mb-3">
                     <div class="text-xs text-muted mb-1">Type</div>
                     <div id="approve-sign-type" class="text-xs font-bold"></div>

src/popup/views/approval.js

@@ -294,6 +294,18 @@ function showSignApproval(details) {
         }
     }
 
+    // Display danger warning for eth_sign (raw hash signing)
+    const warningEl = $("approve-sign-danger-warning");
+    if (warningEl) {
+        if (sp.dangerWarning) {
+            warningEl.textContent = sp.dangerWarning;
+            warningEl.classList.remove("hidden");
+        } else {
+            warningEl.textContent = "";
+            warningEl.classList.add("hidden");
+        }
+    }
+
     $("approve-sign-password").value = "";
     $("approve-sign-error").classList.add("hidden");
     $("btn-approve-sign").disabled = false;