feat: add Etherscan label scraping and MetaMask phishing domain blocklist

- Add etherscanLabels module: scrapes Etherscan address pages for phishing/scam labels (Fake_Phishing*, Exploiter, scam warnings). Integrated as best-effort async check in addressWarnings. - Add phishingDomains module: fetches MetaMask's eth-phishing-detect blocklist (~231K domains) at runtime, caches in memory, refreshes every 24h. Checks hostnames with subdomain matching and whitelist overrides. - Integrate domain phishing checks into all approval flows: connection requests, transaction approvals, and signature requests show a prominent red warning banner when the requesting site is on the MetaMask blocklist. - Add unit tests for both modules (12 tests for etherscanLabels parsing, 15 tests for phishingDomains matching). Closes #114
2026-03-01 05:03:39 -08:00
parent bf01ae6f4d
commit e08b409043
8 changed files with 594 additions and 0 deletions
--- a/src/popup/index.html
+++ b/src/popup/index.html
@@ -1176,6 +1176,20 @@
            <!-- ============ TRANSACTION APPROVAL ============ -->
            <div id="view-approve-tx" class="view hidden">
                <h2 class="font-bold mb-2">Transaction Request</h2>
+                <div
+                    id="approve-tx-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden"
+                    style="
+                        background: #fee2e2;
+                        color: #991b1b;
+                        border: 2px solid #dc2626;
+                        border-radius: 6px;
+                    "
+                >
+                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    blocklist. This transaction may steal your funds. Proceed
+                    with extreme caution.
+                </div>
                <p class="mb-2">
                    <span id="approve-tx-hostname" class="font-bold"></span>
                    wants to send a transaction.
@@ -1242,6 +1256,20 @@
            <!-- ============ SIGNATURE APPROVAL ============ -->
            <div id="view-approve-sign" class="view hidden">
                <h2 class="font-bold mb-2">Signature Request</h2>
+                <div
+                    id="approve-sign-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden"
+                    style="
+                        background: #fee2e2;
+                        color: #991b1b;
+                        border: 2px solid #dc2626;
+                        border-radius: 6px;
+                    "
+                >
+                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    blocklist. Signing this message may authorize theft of your
+                    funds. Proceed with extreme caution.
+                </div>
                <p class="mb-2">
                    <span id="approve-sign-hostname" class="font-bold"></span>
                    wants you to sign a message.
@@ -1311,6 +1339,20 @@
            <!-- ============ SITE APPROVAL ============ -->
            <div id="view-approve-site" class="view hidden">
                <h2 class="font-bold mb-2">Connection Request</h2>
+                <div
+                    id="approve-site-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden"
+                    style="
+                        background: #fee2e2;
+                        color: #991b1b;
+                        border: 2px solid #dc2626;
+                        border-radius: 6px;
+                    "
+                >
+                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    blocklist. Connecting your wallet may result in loss of
+                    funds. Proceed with extreme caution.
+                </div>
                <div class="mb-3">
                    <p class="mb-2">
                        <span id="approve-hostname" class="font-bold"></span>
--- a/src/popup/views/approval.js
+++ b/src/popup/views/approval.js
@@ -13,6 +13,7 @@ const { ERC20_ABI } = require("../../shared/constants");
 const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const txStatus = require("./txStatus");
 const uniswap = require("../../shared/uniswap");
+const { isPhishingDomain } = require("../../shared/phishingDomains");

 const runtime =
    typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
@@ -155,7 +156,24 @@ function decodeCalldata(data, toAddress) {
    return null;
 }

+function showPhishingWarning(elementId, hostname, isPhishing) {
+    const el = $(elementId);
+    if (!el) return;
+    // Check both the flag from background and a local re-check
+    if (isPhishing || isPhishingDomain(hostname)) {
+        el.classList.remove("hidden");
+    } else {
+        el.classList.add("hidden");
+    }
+}
+
 function showTxApproval(details) {
+    showPhishingWarning(
+        "approve-tx-phishing-warning",
+        details.hostname,
+        details.isPhishingDomain,
+    );
+
    const toAddr = details.txParams.to;
    const token = toAddr ? TOKEN_BY_ADDRESS.get(toAddr.toLowerCase()) : null;
    const ethValue = formatEther(details.txParams.value || "0");
@@ -323,6 +341,12 @@ function formatTypedDataHtml(jsonStr) {
 }

 function showSignApproval(details) {
+    showPhishingWarning(
+        "approve-sign-phishing-warning",
+        details.hostname,
+        details.isPhishingDomain,
+    );
+
    const sp = details.signParams;

    $("approve-sign-hostname").textContent = details.hostname;
@@ -382,6 +406,12 @@ function show(id) {
            showSignApproval(details);
            return;
        }
+        // Site connection approval
+        showPhishingWarning(
+            "approve-site-phishing-warning",
+            details.hostname,
+            details.isPhishingDomain,
+        );
        $("approve-hostname").textContent = details.hostname;
        $("approve-address").innerHTML = approvalAddressHtml(
            state.activeAddress,