feat: expand confirm-tx warnings — closes #114 (#118)
All checks were successful
check / check (push) Successful in 5s
All checks were successful
check / check (push) Successful in 5s
Expands the confirm-tx warning system with three new warning types, all using the existing `visibility:hidden/visible` pattern from PR #98 (no animations, no layout shift). ## Changes 1. **Scam address list expanded** (7 → 652 addresses): Sourced from [MyEtherWallet/ethereum-lists](https://github.com/MyEtherWallet/ethereum-lists) darklist (MIT license). Checked synchronously before sending. 2. **Contract address warning**: When the recipient is a smart contract (detected via `getCode`), shows a warning that sending directly to a contract may result in permanent loss of funds. 3. **Null/burn address warning**: Detects known burn addresses (`0x0000...0000`, `0x...dead`, `0x...deadbeef`) and warns that funds are permanently destroyed. 4. **No-history warning** (existing from #98): Unchanged, still shows for EOAs with zero transaction history. All warnings use reserved-space `visibility:hidden/visible` elements — no layout shift, no animations. closes #114 Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #118 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>
This commit was merged in pull request #118.
This commit is contained in:
57
README.md
57
README.md
@@ -15,10 +15,12 @@ Hence, a minimally viable ERC20 browser wallet/signer that works cross-platform.
|
||||
Everything you need, nothing you don't. We import as few libraries as possible,
|
||||
don't implement any crypto, and don't send user-specific data anywhere but a
|
||||
(user-configurable) Ethereum RPC endpoint (which defaults to a public node). The
|
||||
extension contacts exactly three external services: the configured RPC node for
|
||||
extension contacts three user-configurable services: the configured RPC node for
|
||||
blockchain interactions, a public CoinDesk API (no API key) for realtime price
|
||||
information, and a Blockscout block-explorer API for transaction history and
|
||||
token balances. All three endpoints are user-configurable.
|
||||
token balances. It also fetches a community-maintained phishing domain blocklist
|
||||
periodically and performs best-effort Etherscan address label lookups during
|
||||
transaction confirmation.
|
||||
|
||||
In the extension is a hardcoded list of the top ERC20 contract addresses. You
|
||||
can add any ERC20 contract by contract address if you wish, but the hardcoded
|
||||
@@ -580,14 +582,25 @@ What the extension does NOT do:
|
||||
|
||||
- No analytics or telemetry services
|
||||
- No token list APIs (user adds tokens manually by contract address)
|
||||
- No phishing/blocklist APIs
|
||||
- No Infura/Alchemy dependency (any JSON-RPC endpoint works)
|
||||
- No backend servers operated by the developer
|
||||
|
||||
These three services (RPC endpoint, CoinDesk price API, and Blockscout API) are
|
||||
the only external services. All three endpoints are user-configurable. Users who
|
||||
want maximum privacy can point the RPC and Blockscout URLs at their own
|
||||
self-hosted instances (price fetching can be disabled in a future version).
|
||||
In addition to the three user-configurable services above (RPC endpoint,
|
||||
CoinDesk price API, and Blockscout API), AutistMask also contacts:
|
||||
|
||||
- **Phishing domain blocklist**: A community-maintained phishing domain
|
||||
blocklist is vendored into the extension at build time. At runtime, the
|
||||
extension fetches the live list once every 24 hours to detect newly added
|
||||
domains. Only the delta (domains not already in the vendored list) is kept in
|
||||
memory, keeping runtime memory usage small. The delta is persisted to
|
||||
localStorage if it is under 256 KiB.
|
||||
- **Etherscan address labels**: When confirming a transaction, the extension
|
||||
performs a best-effort lookup of the recipient address on Etherscan to check
|
||||
for phishing/scam labels. This is a direct page fetch with no API key; the
|
||||
user's browser makes the request.
|
||||
|
||||
Users who want maximum privacy can point the RPC and Blockscout URLs at their
|
||||
own self-hosted instances (price fetching can be disabled in a future version).
|
||||
|
||||
### Dependencies
|
||||
|
||||
@@ -777,6 +790,21 @@ indexes it as a real token transfer.
|
||||
designed as a sharp tool — users who understand the risks can configure the
|
||||
wallet to show everything unfiltered, unix-style.
|
||||
|
||||
#### Phishing Domain Protection
|
||||
|
||||
AutistMask protects users from known phishing sites when they connect their
|
||||
wallet or approve transactions/signatures. A community-maintained domain
|
||||
blocklist is vendored into the extension at build time, providing immediate
|
||||
protection without any network requests. At runtime, the extension fetches the
|
||||
live list once every 24 hours and keeps only the delta (newly added domains not
|
||||
in the vendored list) in memory. This architecture keeps runtime memory usage
|
||||
small while ensuring fresh coverage of new phishing domains.
|
||||
|
||||
When a dApp on a blocklisted domain requests a wallet connection, transaction
|
||||
approval, or signature, the approval popup displays a prominent red warning
|
||||
banner alerting the user. The domain checker matches exact hostnames and all
|
||||
parent domains (subdomain matching).
|
||||
|
||||
#### Transaction Decoding
|
||||
|
||||
When a dApp asks the user to approve a transaction, AutistMask attempts to
|
||||
@@ -859,6 +887,21 @@ Currently supported:
|
||||
|
||||
GPL-3.0. See [LICENSE](LICENSE).
|
||||
|
||||
### Third-Party Data Files
|
||||
|
||||
This repository includes data files from third-party projects that are not
|
||||
covered by the GPL-3.0 license above. These files, their copyright holders, and
|
||||
their licenses are:
|
||||
|
||||
| File | Source | Copyright | License |
|
||||
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -------------------------------------------------------------- |
|
||||
| `src/shared/phishingBlocklist.json` | [eth-phishing-detect](https://github.com/AugurProject/eth-phishing-detect) community-maintained phishing domain blocklist | Copyright (c) 2018 kumavis | [DBAD (Don't Be a Dick)](https://github.com/philsturgeon/dbad) |
|
||||
| `src/shared/scamlist.js` (address data from MyEtherWallet) | [ethereum-lists](https://github.com/MyEtherWallet/ethereum-lists) `addresses-darklist.json` | Copyright (c) 2020 MyEtherWallet | MIT |
|
||||
| `src/shared/scamlist.js` (address data from EtherScamDB) | [EtherScamDB](https://github.com/MrLuit/EtherScamDB) `scams.yaml` | Copyright (c) 2018 Luit Hollander | MIT |
|
||||
|
||||
The full license texts for these third-party files are included in the
|
||||
[LICENSE](LICENSE) file.
|
||||
|
||||
## Author
|
||||
|
||||
[@sneak](https://sneak.berlin)
|
||||
|
||||
Reference in New Issue
Block a user