Merge branch 'main' into fix/low-severity-security

2026-02-27 23:08:40 +01:00
parent 27f16191b4 8226495994
commit 85427e1fd4
11 changed files with 401 additions and 13 deletions
--- a/src/popup/index.html
+++ b/src/popup/index.html
@@ -374,6 +374,12 @@
                    </button>
                </div>

+                <!-- token contract details (ERC-20 only) -->
+                <div
+                    id="address-token-contract-info"
+                    class="bg-hover rounded-md mx-1 p-3 mb-3 text-xs hidden"
+                ></div>
+
                <!-- token-filtered transactions -->
                <div class="mt-3">
                    <div class="border-b border-border pb-1 mb-1">
@@ -702,9 +708,7 @@

                <div class="bg-well p-3 mx-1 mb-3">
                    <h3 class="font-bold mb-1">Wallets</h3>
-                    <p class="text-xs text-muted mb-2">
-                        Add a new wallet from a recovery phrase or private key.
-                    </p>
+                    <div id="settings-wallet-list" class="mb-2"></div>
                    <button
                        id="btn-main-add-wallet"
                        class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
@@ -839,6 +843,41 @@
                </div>
            </div>

+            <!-- ============ DELETE WALLET CONFIRM ============ -->
+            <div id="view-delete-wallet-confirm" class="view hidden">
+                <button
+                    id="btn-delete-wallet-back"
+                    class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer mb-2"
+                >
+                    &lt; Back
+                </button>
+                <h2 class="font-bold mb-3">Delete Wallet</h2>
+                <p class="text-xs mb-3">
+                    Deleting
+                    <strong id="delete-wallet-name"></strong> is permanent. Any
+                    funds will be unrecoverable without your recovery phrase.
+                </p>
+                <div
+                    id="delete-wallet-flash"
+                    class="text-xs text-red-500 mb-2 hidden"
+                ></div>
+                <div class="mb-2">
+                    <label class="block mb-1">Password</label>
+                    <input
+                        type="password"
+                        id="delete-wallet-password"
+                        class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
+                        placeholder="Enter your password to confirm"
+                    />
+                </div>
+                <button
+                    id="btn-delete-wallet-confirm"
+                    class="border border-border text-red-500 px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
+                >
+                    Confirm Delete
+                </button>
+            </div>
+
            <!-- ============ SETTINGS: ADD TOKEN ============ -->
            <div id="view-settings-addtoken" class="view hidden">
                <button
@@ -914,7 +953,13 @@
                >
                    &lt; Back
                </button>
-                <h2 class="font-bold mb-2">Transaction</h2>
+                <h2 id="tx-detail-heading" class="font-bold mb-2">
+                    Transaction
+                </h2>
+                <div id="tx-detail-type-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Type</div>
+                    <div id="tx-detail-type" class="text-xs font-bold"></div>
+                </div>
                <div class="mb-4">
                    <div class="text-xs text-muted mb-1">Status</div>
                    <div id="tx-detail-status" class="text-xs"></div>
@@ -939,6 +984,29 @@
                    <div class="text-xs text-muted mb-1">To</div>
                    <div id="tx-detail-to" class="text-xs break-all"></div>
                </div>
+                <div id="tx-detail-calldata-section" class="mb-4 hidden">
+                    <div
+                        id="tx-detail-calldata-well"
+                        class="mb-3 border border-border border-dashed p-2"
+                    >
+                        <div class="text-xs text-muted mb-1">Action</div>
+                        <div
+                            id="tx-detail-calldata-action"
+                            class="text-xs font-bold mb-2"
+                        ></div>
+                        <div
+                            id="tx-detail-calldata-details"
+                            class="text-xs"
+                        ></div>
+                    </div>
+                    <div id="tx-detail-rawdata-section" class="hidden">
+                        <div class="text-xs text-muted mb-1">Raw data</div>
+                        <div
+                            id="tx-detail-rawdata"
+                            class="text-xs break-all font-mono border border-border border-dashed p-2"
+                        ></div>
+                    </div>
+                </div>
                <div class="mb-4">
                    <div class="text-xs text-muted mb-1">Transaction hash</div>
                    <div id="tx-detail-hash" class="text-xs break-all"></div>
--- a/src/popup/index.js
+++ b/src/popup/index.js
@@ -189,7 +189,7 @@ async function init() {
    const params = new URLSearchParams(window.location.search);
    const approvalId = params.get("approval");
    if (approvalId) {
-        approval.show(parseInt(approvalId, 10));
+        approval.show(approvalId);
        showView("approve-site");
        return;
    }
--- a/src/popup/views/addressDetail.js
+++ b/src/popup/views/addressDetail.js
@@ -185,7 +185,10 @@ function renderTransactions(txs) {
    let html = "";
    let i = 0;
    for (const tx of txs) {
-        const counterparty = tx.direction === "sent" ? tx.to : tx.from;
+        const counterparty =
+            tx.direction === "sent" || tx.direction === "contract"
+                ? tx.to
+                : tx.from;
        const ensName = ensNameMap.get(counterparty) || null;
        const dirLabel = tx.directionLabel;
        const amountStr = tx.value
--- a/src/popup/views/addressToken.js
+++ b/src/popup/views/addressToken.js
@@ -11,6 +11,7 @@ const {
    balanceLine,
 } = require("./helpers");
 const { state, currentAddress, saveState } = require("../../shared/state");
+const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const {
    formatUsd,
    getPrice,
@@ -130,6 +131,43 @@ function show() {
    // Single token balance line (no tokenId — not clickable here)
    $("address-token-balance").innerHTML = balanceLine(symbol, amount, price);

+    // Token contract details (ERC-20 only)
+    const contractInfo = $("address-token-contract-info");
+    if (tokenId !== "ETH") {
+        const tb = (addr.tokenBalances || []).find(
+            (t) => t.address.toLowerCase() === tokenId.toLowerCase(),
+        );
+        const tokenName = tb && tb.name ? escapeHtml(tb.name) : null;
+        const tokenSymbol = tb && tb.symbol ? escapeHtml(tb.symbol) : null;
+        const tokenDecimals = tb && tb.decimals != null ? tb.decimals : null;
+        const tokenHolders = tb && tb.holders != null ? tb.holders : null;
+        const dot = addressDotHtml(tokenId);
+        const tokenLink = `https://etherscan.io/token/${escapeHtml(tokenId)}`;
+        const knownToken = TOKEN_BY_ADDRESS.get(tokenId.toLowerCase());
+        const projectUrl = knownToken && knownToken.url ? knownToken.url : null;
+        let infoHtml = `<div class="font-bold mb-2">Contract Address</div>`;
+        infoHtml +=
+            `<div class="flex items-center mb-2">${dot}` +
+            `<span class="break-all underline decoration-dashed cursor-pointer" id="address-token-contract-copy" data-copy="${escapeHtml(tokenId)}">${escapeHtml(tokenId)}</span>` +
+            `<a href="${tokenLink}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>` +
+            `</div>`;
+        if (tokenName)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Name:</span> ${tokenName}</div>`;
+        if (tokenSymbol)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Symbol:</span> ${tokenSymbol}</div>`;
+        if (tokenDecimals != null)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Decimals:</span> ${tokenDecimals}</div>`;
+        if (tokenHolders != null)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Holders:</span> ${Number(tokenHolders).toLocaleString()}</div>`;
+        if (projectUrl)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Website:</span> <a href="${escapeHtml(projectUrl)}" target="_blank" rel="noopener" class="underline decoration-dashed">${escapeHtml(projectUrl)}</a></div>`;
+        contractInfo.innerHTML = infoHtml;
+        contractInfo.classList.remove("hidden");
+    } else {
+        contractInfo.innerHTML = "";
+        contractInfo.classList.add("hidden");
+    }
+
    // Transactions
    $("address-token-tx-list").innerHTML =
        '<div class="text-muted text-xs py-1">Loading...</div>';
@@ -252,6 +290,14 @@ function init(_ctx) {
        }
    });

+    $("address-token-contract-info").addEventListener("click", (e) => {
+        const copyEl = e.target.closest("[data-copy]");
+        if (copyEl) {
+            navigator.clipboard.writeText(copyEl.dataset.copy);
+            showFlash("Copied!");
+        }
+    });
+
    $("btn-address-token-back").addEventListener("click", () => {
        ctx.showAddressDetail();
    });
--- a/src/popup/views/approval.js
+++ b/src/popup/views/approval.js
@@ -453,4 +453,4 @@ function init(ctx) {
    });
 }

-module.exports = { init, show };
+module.exports = { init, show, decodeCalldata };
--- a/src/popup/views/deleteWallet.js
+++ b/src/popup/views/deleteWallet.js
@@ -0,0 +1,90 @@
+const { $, showView, showFlash } = require("./helpers");
+const { state, saveState } = require("../../shared/state");
+const { decryptWithPassword } = require("../../shared/vault");
+
+let deleteWalletIndex = null;
+let ctx = null;
+
+function show(walletIdx) {
+    deleteWalletIndex = walletIdx;
+    const wallet = state.wallets[walletIdx];
+    $("delete-wallet-name").textContent =
+        wallet.name || "Wallet " + (walletIdx + 1);
+    $("delete-wallet-password").value = "";
+    $("delete-wallet-flash").textContent = "";
+    $("delete-wallet-flash").classList.add("hidden");
+    showView("delete-wallet-confirm");
+}
+
+function init(_ctx) {
+    ctx = _ctx;
+
+    $("btn-delete-wallet-back").addEventListener("click", () => {
+        deleteWalletIndex = null;
+        ctx.showSettingsView();
+    });
+
+    $("btn-delete-wallet-confirm").addEventListener("click", async () => {
+        const pw = $("delete-wallet-password").value;
+        if (!pw) {
+            $("delete-wallet-flash").textContent =
+                "Please enter your password.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        if (deleteWalletIndex === null) {
+            $("delete-wallet-flash").textContent =
+                "No wallet selected for deletion.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        const walletIdx = deleteWalletIndex;
+        const wallet = state.wallets[walletIdx];
+
+        // Verify password against the wallet's encrypted data
+        try {
+            await decryptWithPassword(wallet.encryptedSecret, pw);
+        } catch (_e) {
+            $("delete-wallet-flash").textContent = "Wrong password.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        // Collect addresses to clean up from allowedSites/deniedSites
+        const addresses = (wallet.addresses || []).map((a) => a.address);
+
+        // Remove wallet
+        state.wallets.splice(walletIdx, 1);
+
+        // Clean up site permissions for deleted addresses
+        for (const addr of addresses) {
+            delete state.allowedSites[addr];
+            delete state.deniedSites[addr];
+        }
+
+        deleteWalletIndex = null;
+
+        if (state.wallets.length === 0) {
+            // No wallets left — reset selection and show welcome
+            state.selectedWallet = null;
+            state.selectedAddress = null;
+            state.activeAddress = null;
+            await saveState();
+            showView("welcome");
+        } else {
+            // Switch to first wallet if deleted wallet was active
+            state.selectedWallet = 0;
+            state.selectedAddress = 0;
+            state.activeAddress =
+                state.wallets[0].addresses[0]?.address || null;
+            await saveState();
+            ctx.renderWalletList();
+            ctx.showSettingsView();
+            showFlash("Wallet deleted.");
+        }
+    });
+}
+
+module.exports = { init, show };
--- a/src/popup/views/helpers.js
+++ b/src/popup/views/helpers.js
@@ -25,6 +25,7 @@ const VIEWS = [
    "receive",
    "add-token",
    "settings",
+    "delete-wallet-confirm",
    "settings-addtoken",
    "transaction",
    "approve-site",
--- a/src/popup/views/home.js
+++ b/src/popup/views/home.js
@@ -102,7 +102,10 @@ function renderHomeTxList(ctx) {
    let html = "";
    let i = 0;
    for (const tx of homeTxs) {
-        const counterparty = tx.direction === "sent" ? tx.to : tx.from;
+        const counterparty =
+            tx.direction === "sent" || tx.direction === "contract"
+                ? tx.to
+                : tx.from;
        const dirLabel = tx.directionLabel;
        const amountStr = tx.value
            ? escapeHtml(tx.value + " " + tx.symbol)
--- a/src/popup/views/settings.js
+++ b/src/popup/views/settings.js
@@ -2,6 +2,7 @@ const { $, showView, showFlash, escapeHtml } = require("./helpers");
 const { state, saveState } = require("../../shared/state");
 const { ETHEREUM_MAINNET_CHAIN_ID } = require("../../shared/constants");
 const { log, debugFetch } = require("../../shared/log");
+const deleteWallet = require("./deleteWallet");

 const runtime =
    typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
@@ -65,11 +66,68 @@ function renderTrackedTokens() {
    });
 }

+function renderWalletListSettings() {
+    const container = $("settings-wallet-list");
+    if (state.wallets.length === 0) {
+        container.innerHTML = '<p class="text-xs text-muted">No wallets.</p>';
+        return;
+    }
+    let html = "";
+    state.wallets.forEach((wallet, idx) => {
+        const name = escapeHtml(wallet.name || "Wallet " + (idx + 1));
+        html += `<div class="flex justify-between items-center text-xs py-1 border-b border-border-light">`;
+        html += `<span class="settings-wallet-name cursor-pointer underline decoration-dashed" data-idx="${idx}">${name}</span>`;
+        html += `<button class="btn-delete-wallet border border-border px-1 hover:bg-fg hover:text-bg cursor-pointer" data-idx="${idx}">[x]</button>`;
+        html += `</div>`;
+    });
+    container.innerHTML = html;
+    container.querySelectorAll(".btn-delete-wallet").forEach((btn) => {
+        btn.addEventListener("click", () => {
+            const idx = parseInt(btn.dataset.idx, 10);
+            deleteWallet.show(idx);
+        });
+    });
+
+    // Inline rename on click
+    container.querySelectorAll(".settings-wallet-name").forEach((span) => {
+        span.addEventListener("click", () => {
+            const idx = parseInt(span.dataset.idx, 10);
+            const wallet = state.wallets[idx];
+            const input = document.createElement("input");
+            input.type = "text";
+            input.className =
+                "border border-border p-0 text-xs bg-bg text-fg w-full";
+            input.value = wallet.name || "Wallet " + (idx + 1);
+            span.replaceWith(input);
+            input.focus();
+            input.select();
+            const finish = async () => {
+                const val = input.value.trim();
+                if (val && val !== wallet.name) {
+                    wallet.name = val;
+                    await saveState();
+                }
+                renderWalletListSettings();
+            };
+            input.addEventListener("blur", finish);
+            input.addEventListener("keydown", (e) => {
+                if (e.key === "Enter") input.blur();
+                if (e.key === "Escape") {
+                    input.value = wallet.name || "Wallet " + (idx + 1);
+                    input.blur();
+                }
+            });
+        });
+    });
+}
+
 function show() {
    $("settings-rpc").value = state.rpcUrl;
    $("settings-blockscout").value = state.blockscoutUrl;
    renderTrackedTokens();
    renderSiteLists();
+    renderWalletListSettings();
+
    showView("settings");
 }

@@ -83,6 +141,8 @@ function renderSiteLists() {
 }

 function init(ctx) {
+    deleteWallet.init(ctx);
+
    $("btn-save-rpc").addEventListener("click", async () => {
        const url = $("settings-rpc").value.trim();
        if (!url) {
--- a/src/popup/views/transactionDetail.js
+++ b/src/popup/views/transactionDetail.js
@@ -13,6 +13,8 @@ const {
 } = require("./helpers");
 const { state } = require("../../shared/state");
 const makeBlockie = require("ethereum-blockies-base64");
+const { log, debugFetch } = require("../../shared/log");
+const { decodeCalldata } = require("./approval");

 const EXT_ICON =
    `<span style="display:inline-block;width:10px;height:10px;margin-left:4px;vertical-align:middle">` +
@@ -42,11 +44,11 @@ function txAddressHtml(address, ensName, title) {
    const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
    let html = `<div class="mb-1">${blockie}</div>`;
    if (title) {
-        html += `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>`;
+        html += `<div class="font-bold">${escapeHtml(title)}</div>`;
    }
    if (ensName) {
        html +=
-            `<div class="flex items-center">${title ? "" : dot}` +
+            `<div class="flex items-center">${dot}` +
            copyableHtml(ensName, "") +
            extLink +
            `</div>` +
@@ -55,7 +57,7 @@ function txAddressHtml(address, ensName, title) {
            `</div>`;
    } else {
        html +=
-            `<div class="flex items-center">${title ? "" : dot}` +
+            `<div class="flex items-center">${dot}` +
            copyableHtml(address, "break-all") +
            extLink +
            `</div>`;
@@ -85,9 +87,15 @@ function show(tx) {
            fromEns: tx.fromEns || null,
            toEns: tx.toEns || null,
            directionLabel: tx.directionLabel || null,
+            direction: tx.direction || null,
+            isContractCall: tx.isContractCall || false,
+            method: tx.method || null,
        },
    };
    render();
+    if (tx.isContractCall || tx.direction === "contract") {
+        loadCalldata(tx.hash, tx.to);
+    }
 }

 function render() {
@@ -121,6 +129,25 @@ function render() {
        nativeEl.parentElement.classList.add("hidden");
    }

+    // Show type label for contract interactions (Swap, Execute, etc.)
+    const typeSection = $("tx-detail-type-section");
+    const typeEl = $("tx-detail-type");
+    const headingEl = $("tx-detail-heading");
+    if (tx.direction === "contract" && tx.directionLabel) {
+        if (typeSection) {
+            typeEl.textContent = tx.directionLabel;
+            typeSection.classList.remove("hidden");
+        }
+        if (headingEl) headingEl.textContent = tx.directionLabel;
+    } else {
+        if (typeSection) typeSection.classList.add("hidden");
+        if (headingEl) headingEl.textContent = "Transaction";
+    }
+
+    // Hide calldata section by default; loadCalldata will show it if needed
+    const calldataSection = $("tx-detail-calldata-section");
+    if (calldataSection) calldataSection.classList.add("hidden");
+
    $("tx-detail-time").textContent =
        isoDate(tx.timestamp) + " (" + timeAgo(tx.timestamp) + ")";
    $("tx-detail-status").textContent = tx.isError ? "Failed" : "Success";
@@ -137,6 +164,73 @@ function render() {
        });
 }

+async function loadCalldata(txHash, toAddress) {
+    const section = $("tx-detail-calldata-section");
+    const actionEl = $("tx-detail-calldata-action");
+    const detailsEl = $("tx-detail-calldata-details");
+    const wellEl = $("tx-detail-calldata-well");
+    const rawSection = $("tx-detail-rawdata-section");
+    const rawEl = $("tx-detail-rawdata");
+    if (!section || !actionEl || !detailsEl) return;
+
+    try {
+        const resp = await debugFetch(
+            state.blockscoutUrl + "/transactions/" + txHash,
+        );
+        if (!resp.ok) return;
+        const txData = await resp.json();
+        const inputData = txData.raw_input || txData.input || null;
+        if (!inputData || inputData === "0x") return;
+
+        const decoded = decodeCalldata(inputData, toAddress || "");
+        if (decoded) {
+            // Render decoded calldata matching approval view style
+            actionEl.textContent = decoded.name;
+            let detailsHtml = "";
+            if (decoded.description) {
+                detailsHtml += `<div class="mb-2">${escapeHtml(decoded.description)}</div>`;
+            }
+            for (const d of decoded.details || []) {
+                detailsHtml += `<div class="mb-2">`;
+                detailsHtml += `<div class="text-muted">${escapeHtml(d.label)}</div>`;
+                if (d.address) {
+                    const dot = addressDotHtml(d.address);
+                    detailsHtml += `<div>${dot}${copyableHtml(d.value, "break-all")}</div>`;
+                } else {
+                    detailsHtml += `<div class="font-bold">${escapeHtml(d.value)}</div>`;
+                }
+                detailsHtml += `</div>`;
+            }
+            detailsEl.innerHTML = detailsHtml;
+            if (wellEl) wellEl.classList.remove("hidden");
+        } else {
+            // Unknown contract call — show method name in well
+            const method = txData.method || "Unknown contract call";
+            actionEl.textContent = method;
+            detailsEl.innerHTML = "";
+            if (wellEl) wellEl.classList.remove("hidden");
+        }
+
+        // Always show raw data
+        if (rawSection && rawEl) {
+            rawEl.innerHTML = copyableHtml(inputData, "break-all");
+            rawSection.classList.remove("hidden");
+        }
+
+        section.classList.remove("hidden");
+
+        // Bind copy handlers for new elements
+        section.querySelectorAll("[data-copy]").forEach((el) => {
+            el.onclick = () => {
+                navigator.clipboard.writeText(el.dataset.copy);
+                showFlash("Copied!");
+            };
+        });
+    } catch (e) {
+        log.errorf("loadCalldata failed:", e.message);
+    }
+}
+
 function init(_ctx) {
    ctx = _ctx;
    $("btn-tx-back").addEventListener("click", () => {
--- a/src/shared/transactions.js
+++ b/src/shared/transactions.js
@@ -37,7 +37,21 @@ function parseTx(tx, addrLower) {
        if (token) {
            symbol = token.symbol;
        }
-        const label = method.charAt(0).toUpperCase() + method.slice(1);
+        // Map known DEX methods to "Swap" for cleaner display
+        const SWAP_METHODS = new Set([
+            "execute",
+            "swap",
+            "swapExactTokensForTokens",
+            "swapTokensForExactTokens",
+            "swapExactETHForTokens",
+            "swapTokensForExactETH",
+            "swapExactTokensForETH",
+            "swapETHForExactTokens",
+            "multicall",
+        ]);
+        const label = SWAP_METHODS.has(method)
+            ? "Swap"
+            : method.charAt(0).toUpperCase() + method.slice(1);
        direction = "contract";
        directionLabel = label;
        value = "";
@@ -139,9 +153,18 @@ async function fetchRecentTransactions(address, blockscoutUrl, count = 25) {

    // When a token transfer shares a hash with a normal tx, the normal tx
    // is the contract call (0 ETH) and the token transfer has the real
-    // amount and symbol. Replace the normal tx with the token transfer.
+    // amount and symbol. Replace the normal tx with the token transfer,
+    // but preserve contract call metadata (direction, label, method) so
+    // swaps and other contract interactions display correctly.
    for (const tt of ttJson.items || []) {
        const parsed = parseTokenTransfer(tt, addrLower);
+        const existing = txsByHash.get(parsed.hash);
+        if (existing && existing.direction === "contract") {
+            parsed.direction = "contract";
+            parsed.directionLabel = existing.directionLabel;
+            parsed.isContractCall = true;
+            parsed.method = existing.method;
+        }
        txsByHash.set(parsed.hash, parsed);
    }