Add anti-poisoning filters for token transfers and send view
Some checks failed
check / check (push) Has been cancelled
Some checks failed
check / check (push) Has been cancelled
Three layers of defense against address poisoning attacks: 1. Known symbol verification: tokens claiming a symbol from the hardcoded top-250 list (e.g. "ETH", "USDT") but from an unrecognized contract are identified as spoofs and always hidden. Their contract addresses are auto-added to the fraud blocklist. 2. Low-holder filtering: tokens with <1000 holders are hidden from both transaction history and the send token selector. Controlled by the "Hide tokens with fewer than 1,000 holders" setting. 3. Fraud contract blocklist: a persistent local list of detected fraud contract addresses. Transactions involving these contracts are hidden. Controlled by the "Hide transactions from detected fraud contracts" setting. Both settings default to on and can be disabled in Settings. Fetching and filtering are separated: fetchRecentTransactions returns raw data, filterTransactions is a pure function applying heuristics. Token holder counts are now passed through from the Blockscout API.
This commit is contained in:
@@ -1,9 +1,14 @@
|
||||
// Transaction history fetching via Blockscout v2 API.
|
||||
// Fetches normal transactions and ERC-20 token transfers,
|
||||
// merges them, and returns the most recent entries.
|
||||
//
|
||||
// Filtering is separated from fetching: fetchRecentTransactions returns
|
||||
// raw parsed data including token metadata, and filterTransactions is
|
||||
// a pure function that applies anti-poisoning heuristics.
|
||||
|
||||
const { formatEther, formatUnits } = require("ethers");
|
||||
const { log } = require("./log");
|
||||
const { KNOWN_SYMBOLS } = require("./tokens");
|
||||
|
||||
function formatTxValue(val) {
|
||||
const parts = val.split(".");
|
||||
@@ -25,6 +30,8 @@ function parseTx(tx, addrLower) {
|
||||
symbol: "ETH",
|
||||
direction: from.toLowerCase() === addrLower ? "sent" : "received",
|
||||
isError: tx.status !== "ok",
|
||||
contractAddress: null,
|
||||
holders: null,
|
||||
};
|
||||
}
|
||||
|
||||
@@ -43,6 +50,12 @@ function parseTokenTransfer(tt, addrLower) {
|
||||
symbol: tt.token?.symbol || "?",
|
||||
direction: from.toLowerCase() === addrLower ? "sent" : "received",
|
||||
isError: false,
|
||||
contractAddress: (
|
||||
tt.token?.address_hash ||
|
||||
tt.token?.address ||
|
||||
""
|
||||
).toLowerCase(),
|
||||
holders: parseInt(tt.token?.holders_count || "0", 10),
|
||||
};
|
||||
}
|
||||
|
||||
@@ -84,7 +97,7 @@ async function fetchRecentTransactions(address, blockscoutUrl, count = 25) {
|
||||
txs.push(parseTx(tx, addrLower));
|
||||
}
|
||||
|
||||
// Deduplicate: skip token transfers whose tx hash is already in the list
|
||||
// Deduplicate: skip token transfers whose tx hash is already present
|
||||
const seenHashes = new Set(txs.map((t) => t.hash));
|
||||
for (const tt of ttJson.items || []) {
|
||||
if (seenHashes.has(tt.transaction_hash)) continue;
|
||||
@@ -97,4 +110,60 @@ async function fetchRecentTransactions(address, blockscoutUrl, count = 25) {
|
||||
return result;
|
||||
}
|
||||
|
||||
module.exports = { fetchRecentTransactions };
|
||||
// Check if a token transfer is spoofing a known symbol.
|
||||
// Returns true if the symbol matches a known token but the contract
|
||||
// address doesn't match the legitimate one.
|
||||
function isSpoofedSymbol(tx) {
|
||||
if (!tx.contractAddress) return false;
|
||||
const symbol = (tx.symbol || "").toUpperCase();
|
||||
if (!KNOWN_SYMBOLS.has(symbol)) return false;
|
||||
const legit = KNOWN_SYMBOLS.get(symbol);
|
||||
if (legit === null) return true; // "ETH" as ERC-20 is always fake
|
||||
return tx.contractAddress !== legit;
|
||||
}
|
||||
|
||||
// Pure filter function. Takes raw transactions and filter settings,
|
||||
// returns { transactions, newFraudContracts }.
|
||||
function filterTransactions(txs, filters = {}) {
|
||||
const fraudSet = new Set(
|
||||
(filters.fraudContracts || []).map((a) => a.toLowerCase()),
|
||||
);
|
||||
const newFraud = [];
|
||||
const filtered = [];
|
||||
|
||||
for (const tx of txs) {
|
||||
// Always filter spoofed known symbols and record the fraud contract
|
||||
if (isSpoofedSymbol(tx)) {
|
||||
if (tx.contractAddress && !fraudSet.has(tx.contractAddress)) {
|
||||
fraudSet.add(tx.contractAddress);
|
||||
newFraud.push(tx.contractAddress);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
// Filter fraud contracts if setting is on
|
||||
if (
|
||||
filters.hideFraudContracts &&
|
||||
tx.contractAddress &&
|
||||
fraudSet.has(tx.contractAddress)
|
||||
) {
|
||||
continue;
|
||||
}
|
||||
|
||||
// Filter low-holder tokens (<1000) if setting is on
|
||||
if (
|
||||
filters.hideLowHolderTokens &&
|
||||
tx.contractAddress &&
|
||||
tx.holders !== null &&
|
||||
tx.holders < 1000
|
||||
) {
|
||||
continue;
|
||||
}
|
||||
|
||||
filtered.push(tx);
|
||||
}
|
||||
|
||||
return { transactions: filtered, newFraudContracts: newFraud };
|
||||
}
|
||||
|
||||
module.exports = { fetchRecentTransactions, filterTransactions };
|
||||
|
||||
Reference in New Issue
Block a user