remove phishing domain whitelist support

Remove all whitelist functionality from the phishing domain system.
The blocklist now only checks the blacklist — no whitelist overrides.

- Remove vendoredWhitelist and deltaWhitelist Sets
- Remove whitelist checks in isPhishingDomain()
- Remove whitelist from delta storage persistence
- Remove whitelist from loadConfig() delta computation
- Remove whitelist-specific test cases
- Update README to remove whitelist mention

Closes #114

LICENSE

@@ -672,3 +672,110 @@ may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
 <https://www.gnu.org/licenses/why-not-lgpl.html>.
+
+===========================================================================
+THIRD-PARTY FILES
+===========================================================================
+
+The following files are not original to this project and are distributed
+under their own licenses. They are NOT covered by the GPL-3.0 license above.
+
+---------------------------------------------------------------------------
+File: src/shared/phishingBlocklist.json
+Source: https://github.com/AugurProject/eth-phishing-detect (config.json)
+Copyright: Copyright (c) 2018 kumavis
+License: Don't Be a Dick Public License (DBAD), Version 1.2
+---------------------------------------------------------------------------
+
+DON'T BE A DICK PUBLIC LICENSE
+
+Version 1.2, February 2021
+
+Copyright (C) 2018 kumavis
+
+Everyone is permitted to copy and distribute verbatim or modified
+copies of this license document.
+
+DON'T BE A DICK PUBLIC LICENSE
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 1. Do whatever you like with the original work, just don't be a dick.
+
+     Being a dick includes - but is not limited to - the following instances:
+
+     1a. Outright copyright infringement - Don't just copy the original
+         work/works and change the name.
+     1b. Selling the unmodified original with no work done what-so-ever,
+         that's REALLY being a dick.
+     1c. Modifying the original work to contain hidden harmful content.
+         That would make you a PROPER dick.
+
+ 2. If you become rich through modifications, related works/services, or
+    supporting the original work, share the love. Only a dick would make
+    loads off this work and not buy the original work's creator(s) a pint.
+
+ 3. Code is provided with no warranty. Using somebody else's code and
+    bitching when it goes wrong makes you a DONKEY dick. Fix the problem
+    yourself. A non-dick would submit the fix back or submit a bug report.
+
+ 4. If you use code, calling it your own would make you a ROYAL dick.
+    Alternatively, even just a comment giving attribution to where you found
+    the code would be OK.
+
+---------------------------------------------------------------------------
+File: src/shared/scamlist.js (address data from MyEtherWallet ethereum-lists)
+Source: https://github.com/MyEtherWallet/ethereum-lists (addresses-darklist.json)
+Copyright: Copyright (c) 2020 MyEtherWallet
+License: MIT License
+---------------------------------------------------------------------------
+
+MIT License
+
+Copyright (c) 2020 MyEtherWallet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---------------------------------------------------------------------------
+File: src/shared/scamlist.js (address data from EtherScamDB)
+Source: https://github.com/MrLuit/EtherScamDB (scams.yaml)
+Copyright: Copyright (c) 2018 Luit Hollander
+License: MIT License
+---------------------------------------------------------------------------
+
+MIT License
+
+Copyright (c) 2018 Luit Hollander
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -15,10 +15,12 @@ Hence, a minimally viable ERC20 browser wallet/signer that works cross-platform.
 Everything you need, nothing you don't. We import as few libraries as possible,
 don't implement any crypto, and don't send user-specific data anywhere but a
 (user-configurable) Ethereum RPC endpoint (which defaults to a public node). The
-extension contacts exactly three external services: the configured RPC node for
+extension contacts three user-configurable services: the configured RPC node for
 blockchain interactions, a public CoinDesk API (no API key) for realtime price
 information, and a Blockscout block-explorer API for transaction history and
-token balances. All three endpoints are user-configurable.
+token balances. It also fetches a community-maintained phishing domain blocklist
+periodically and performs best-effort Etherscan address label lookups during
+transaction confirmation.
 
 In the extension is a hardcoded list of the top ERC20 contract addresses. You
 can add any ERC20 contract by contract address if you wish, but the hardcoded
@@ -435,25 +437,29 @@ transitions.
 #### TransactionDetail
 
 - **When**: User tapped a transaction row from AddressDetail or AddressToken.
-- **Elements**:
+- **Elements** (grouped into logical blocks using light well containers; field
+  labels are self-explanatory so groups have no headings):
     - "Transaction" heading, "Back" button
+    - Transaction hash: full hash (tap to copy) + etherscan link
     - Type: transaction classification — one of: Native ETH Transfer, ERC-20
       Token Transfer, Swap, Token Approval, Contract Call, Contract Creation
+    - Status: "Success" or "Failed"
+    - From: blockie + color dot + full address (tap to copy) + etherscan link;
+      ENS name if available
+    - To: blockie + color dot + full address (tap to copy) + etherscan link; ENS
+      name if available
+    - Time: ISO datetime + relative age in parentheses
+    - Block: block number (tap to copy) + etherscan block link
+    - Amount: value + symbol (bold)
+    - Native quantity: raw integer + unit (shown when available)
     - Token contract: shown for ERC-20 transfers — color dot + full contract
       address (tap to copy) + etherscan token link
-    - Status: "Success" or "Failed"
+    - Decoded details (shown for contract calls): action name, decoded
-    - Time: ISO datetime + relative age in parentheses
+      parameters, token details, swap steps
-    - Amount: value + symbol (bold)
+    - Network details (shown when on-chain data is available): nonce, gas price,
-    - From: blockie + color dot + full address (tap to copy) + etherscan link
+      gas used, transaction fee (all tap to copy)
-        - ENS name if available
+    - Raw data (shown when calldata is present): full calldata in monospace
-    - To: blockie + color dot + full address (tap to copy) + etherscan link
+      dashed border
-        - ENS name if available
-    - Transaction hash: full hash (tap to copy) + etherscan link
-    - Block: block number (tap to copy) + etherscan block link
-    - Nonce: transaction nonce (tap to copy)
-    - Transaction fee: ETH amount (tap to copy)
-    - Gas price: value in Gwei (tap to copy)
-    - Gas used: integer (tap to copy)
 - **Transitions**:
     - "Back" → **AddressToken** (if `selectedToken` set) or **AddressDetail**
 
@@ -576,14 +582,25 @@ What the extension does NOT do:
 
 - No analytics or telemetry services
 - No token list APIs (user adds tokens manually by contract address)
-- No phishing/blocklist APIs
 - No Infura/Alchemy dependency (any JSON-RPC endpoint works)
 - No backend servers operated by the developer
 
-These three services (RPC endpoint, CoinDesk price API, and Blockscout API) are
+In addition to the three user-configurable services above (RPC endpoint,
-the only external services. All three endpoints are user-configurable. Users who
+CoinDesk price API, and Blockscout API), AutistMask also contacts:
-want maximum privacy can point the RPC and Blockscout URLs at their own
+
-self-hosted instances (price fetching can be disabled in a future version).
+- **Phishing domain blocklist**: A community-maintained phishing domain
+  blocklist is vendored into the extension at build time. At runtime, the
+  extension fetches the live list once every 24 hours to detect newly added
+  domains. Only the delta (domains not already in the vendored list) is kept in
+  memory, keeping runtime memory usage small. The delta is persisted to
+  localStorage if it is under 256 KiB.
+- **Etherscan address labels**: When confirming a transaction, the extension
+  performs a best-effort lookup of the recipient address on Etherscan to check
+  for phishing/scam labels. This is a direct page fetch with no API key; the
+  user's browser makes the request.
+
+Users who want maximum privacy can point the RPC and Blockscout URLs at their
+own self-hosted instances (price fetching can be disabled in a future version).
 
 ### Dependencies
 
@@ -773,6 +790,21 @@ indexes it as a real token transfer.
   designed as a sharp tool — users who understand the risks can configure the
   wallet to show everything unfiltered, unix-style.
 
+#### Phishing Domain Protection
+
+AutistMask protects users from known phishing sites when they connect their
+wallet or approve transactions/signatures. A community-maintained domain
+blocklist is vendored into the extension at build time, providing immediate
+protection without any network requests. At runtime, the extension fetches the
+live list once every 24 hours and keeps only the delta (newly added domains not
+in the vendored list) in memory. This architecture keeps runtime memory usage
+small while ensuring fresh coverage of new phishing domains.
+
+When a dApp on a blocklisted domain requests a wallet connection, transaction
+approval, or signature, the approval popup displays a prominent red warning
+banner alerting the user. The domain checker matches exact hostnames and all
+parent domains (subdomain matching).
+
 #### Transaction Decoding
 
 When a dApp asks the user to approve a transaction, AutistMask attempts to
@@ -855,6 +887,21 @@ Currently supported:
 
 GPL-3.0. See [LICENSE](LICENSE).
 
+### Third-Party Data Files
+
+This repository includes data files from third-party projects that are not
+covered by the GPL-3.0 license above. These files, their copyright holders, and
+their licenses are:
+
+| File                                                       | Source                                                                                                                    | Copyright                         | License                                                        |
+| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -------------------------------------------------------------- |
+| `src/shared/phishingBlocklist.json`                        | [eth-phishing-detect](https://github.com/AugurProject/eth-phishing-detect) community-maintained phishing domain blocklist | Copyright (c) 2018 kumavis        | [DBAD (Don't Be a Dick)](https://github.com/philsturgeon/dbad) |
+| `src/shared/scamlist.js` (address data from MyEtherWallet) | [ethereum-lists](https://github.com/MyEtherWallet/ethereum-lists) `addresses-darklist.json`                               | Copyright (c) 2020 MyEtherWallet  | MIT                                                            |
+| `src/shared/scamlist.js` (address data from EtherScamDB)   | [EtherScamDB](https://github.com/MrLuit/EtherScamDB) `scams.yaml`                                                         | Copyright (c) 2018 Luit Hollander | MIT                                                            |
+
+The full license texts for these third-party files are included in the
+[LICENSE](LICENSE) file.
+
 ## Author
 
 [@sneak](https://sneak.berlin)

src/background/index.js

@@ -12,6 +12,11 @@ const { refreshBalances, getProvider } = require("../shared/balances");
 const { debugFetch } = require("../shared/log");
 const { decryptWithPassword } = require("../shared/vault");
 const { getSignerForAddress } = require("../shared/wallet");
+const {
+    isPhishingDomain,
+    updatePhishingList,
+    startPeriodicRefresh,
+} = require("../shared/phishingDomains");
 
 const storageApi =
     typeof browser !== "undefined"
@@ -571,6 +576,11 @@ async function backgroundRefresh() {
 
 setInterval(backgroundRefresh, BACKGROUND_REFRESH_INTERVAL);
 
+// Fetch the phishing domain blocklist delta on startup and refresh every 24h.
+// The vendored blocklist is bundled at build time; this fetches only new entries.
+updatePhishingList();
+startPeriodicRefresh();
+
 // When approval window is closed without a response, treat as rejection
 if (windowsApi && windowsApi.onRemoved) {
     windowsApi.onRemoved.addListener((windowId) => {
@@ -643,6 +653,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                 resp.type = "sign";
                 resp.signParams = approval.signParams;
             }
+            // Flag if the requesting domain is on the phishing blocklist.
+            resp.isPhishingDomain = isPhishingDomain(approval.hostname);
             sendResponse(resp);
         } else {
             sendResponse(null);

src/popup/index.html

@@ -605,6 +605,43 @@
                         Double-check the address before sending.
                     </div>
                 </div>
+                <div
+                    id="confirm-contract-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: The recipient is a smart contract. Sending ETH
+                        or tokens directly to a contract may result in permanent
+                        loss of funds.
+                    </div>
+                </div>
+                <div
+                    id="confirm-burn-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: This is a known null/burn address. Funds sent
+                        here are permanently destroyed and cannot be recovered.
+                    </div>
+                </div>
+                <div
+                    id="confirm-etherscan-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: Etherscan has flagged this address as
+                        phishing/scam. Do not send funds to this address.
+                    </div>
+                </div>
                 <div
                     id="confirm-errors"
                     class="mb-2 border border-border border-dashed p-2"
@@ -1064,93 +1101,149 @@
                 <h2 id="tx-detail-heading" class="font-bold mb-2">
                     Transaction
                 </h2>
-                <div id="tx-detail-type-section" class="mb-4 hidden">
+
-                    <div class="text-xs text-muted mb-1">Type</div>
+                <!-- ── Identity ── -->
-                    <div id="tx-detail-type" class="text-xs font-bold"></div>
+                <div class="bg-well p-3 mx-1 mb-3">
-                </div>
+                    <div class="mb-2">
-                <div class="mb-4">
+                        <div class="text-xs text-muted mb-1">
-                    <div class="text-xs text-muted mb-1">Status</div>
+                            Transaction hash
-                    <div id="tx-detail-status" class="text-xs"></div>
+                        </div>
-                </div>
-                <div class="mb-4">
-                    <div class="text-xs text-muted mb-1">Time</div>
-                    <div id="tx-detail-time" class="text-xs"></div>
-                </div>
-                <div class="mb-4">
-                    <div class="text-xs text-muted mb-1">Amount</div>
-                    <div id="tx-detail-value" class="text-xs"></div>
-                </div>
-                <div class="mb-4 hidden">
-                    <div class="text-xs text-muted mb-1">Native quantity</div>
-                    <div id="tx-detail-native" class="text-xs"></div>
-                </div>
-                <div class="mb-4">
-                    <div class="text-xs text-muted mb-1">From</div>
-                    <div id="tx-detail-from" class="text-xs break-all"></div>
-                </div>
-                <div class="mb-4">
-                    <div class="text-xs text-muted mb-1">To</div>
-                    <div id="tx-detail-to" class="text-xs break-all"></div>
-                </div>
-                <div id="tx-detail-token-contract-section" class="mb-4 hidden">
-                    <div class="text-xs text-muted mb-1">Token contract</div>
-                    <div
-                        id="tx-detail-token-contract"
-                        class="text-xs break-all"
-                    ></div>
-                </div>
-                <div id="tx-detail-calldata-section" class="mb-4 hidden">
-                    <div
-                        id="tx-detail-calldata-well"
-                        class="mb-3 border border-border border-dashed p-2"
-                    >
-                        <div class="text-xs text-muted mb-1">Action</div>
                         <div
-                            id="tx-detail-calldata-action"
+                            id="tx-detail-hash"
-                            class="text-xs font-bold mb-2"
+                            class="text-xs break-all"
                         ></div>
+                    </div>
+                    <div id="tx-detail-type-section" class="mb-2 hidden">
+                        <div class="text-xs text-muted mb-1">Type</div>
                         <div
-                            id="tx-detail-calldata-details"
+                            id="tx-detail-type"
-                            class="text-xs"
+                            class="text-xs font-bold"
+                        ></div>
+                    </div>
+                    <div class="mb-2">
+                        <div class="text-xs text-muted mb-1">Status</div>
+                        <div id="tx-detail-status" class="text-xs"></div>
+                    </div>
+                    <div class="mb-2">
+                        <div class="text-xs text-muted mb-1">From</div>
+                        <div
+                            id="tx-detail-from"
+                            class="text-xs break-all"
+                        ></div>
+                    </div>
+                    <div class="mb-2">
+                        <div class="text-xs text-muted mb-1">To</div>
+                        <div id="tx-detail-to" class="text-xs break-all"></div>
+                    </div>
+                </div>
+
+                <!-- ── Timing ── -->
+                <div class="bg-well p-3 mx-1 mb-3">
+                    <div class="mb-2">
+                        <div class="text-xs text-muted mb-1">Time</div>
+                        <div id="tx-detail-time" class="text-xs"></div>
+                    </div>
+                    <div id="tx-detail-block-section" class="mb-2 hidden">
+                        <div class="text-xs text-muted mb-1">Block</div>
+                        <div id="tx-detail-block" class="text-xs"></div>
+                    </div>
+                </div>
+
+                <!-- ── Value ── -->
+                <div class="bg-well p-3 mx-1 mb-3">
+                    <div class="mb-2">
+                        <div class="text-xs text-muted mb-1">Amount</div>
+                        <div id="tx-detail-value" class="text-xs"></div>
+                    </div>
+                    <div class="mb-2 hidden">
+                        <div class="text-xs text-muted mb-1">
+                            Native quantity
+                        </div>
+                        <div id="tx-detail-native" class="text-xs"></div>
+                    </div>
+                    <div
+                        id="tx-detail-token-contract-section"
+                        class="mb-2 hidden"
+                    >
+                        <div class="text-xs text-muted mb-1">
+                            Token contract
+                        </div>
+                        <div
+                            id="tx-detail-token-contract"
+                            class="text-xs break-all"
                         ></div>
                     </div>
                 </div>
-                <div class="mb-4">
+
-                    <div class="text-xs text-muted mb-1">Transaction hash</div>
+                <!-- ── Decoded details ── -->
-                    <div id="tx-detail-hash" class="text-xs break-all"></div>
+                <div id="tx-detail-calldata-section" class="hidden">
+                    <div class="bg-well p-3 mx-1 mb-3">
+                        <div id="tx-detail-calldata-well" class="mb-2">
+                            <div class="text-xs text-muted mb-1">Action</div>
+                            <div
+                                id="tx-detail-calldata-action"
+                                class="text-xs font-bold mb-2"
+                            ></div>
+                            <div
+                                id="tx-detail-calldata-details"
+                                class="text-xs"
+                            ></div>
+                        </div>
+                    </div>
                 </div>
-                <div id="tx-detail-block-section" class="mb-4 hidden">
+
-                    <div class="text-xs text-muted mb-1">Block</div>
+                <!-- ── Network details ── -->
-                    <div id="tx-detail-block" class="text-xs"></div>
+                <div id="tx-detail-network-section" class="hidden">
+                    <div class="bg-well p-3 mx-1 mb-3">
+                        <div id="tx-detail-nonce-section" class="mb-2 hidden">
+                            <div class="text-xs text-muted mb-1">Nonce</div>
+                            <div id="tx-detail-nonce" class="text-xs"></div>
+                        </div>
+                        <div
+                            id="tx-detail-gasprice-section"
+                            class="mb-2 hidden"
+                        >
+                            <div class="text-xs text-muted mb-1">Gas price</div>
+                            <div id="tx-detail-gasprice" class="text-xs"></div>
+                        </div>
+                        <div id="tx-detail-gasused-section" class="mb-2 hidden">
+                            <div class="text-xs text-muted mb-1">Gas used</div>
+                            <div id="tx-detail-gasused" class="text-xs"></div>
+                        </div>
+                        <div id="tx-detail-fee-section" class="mb-2 hidden">
+                            <div class="text-xs text-muted mb-1">
+                                Transaction fee
+                            </div>
+                            <div id="tx-detail-fee" class="text-xs"></div>
+                        </div>
+                    </div>
                 </div>
-                <div id="tx-detail-nonce-section" class="mb-4 hidden">
+
-                    <div class="text-xs text-muted mb-1">Nonce</div>
+                <!-- ── Raw data ── -->
-                    <div id="tx-detail-nonce" class="text-xs"></div>
+                <div id="tx-detail-rawdata-section" class="hidden">
-                </div>
+                    <div class="bg-well p-3 mx-1 mb-3">
-                <div id="tx-detail-fee-section" class="mb-4 hidden">
+                        <div class="mb-2">
-                    <div class="text-xs text-muted mb-1">Transaction fee</div>
+                            <div class="text-xs text-muted mb-1">Raw data</div>
-                    <div id="tx-detail-fee" class="text-xs"></div>
+                            <div
-                </div>
+                                id="tx-detail-rawdata"
-                <div id="tx-detail-gasprice-section" class="mb-4 hidden">
+                                class="text-xs break-all font-mono border border-border border-dashed p-2"
-                    <div class="text-xs text-muted mb-1">Gas price</div>
+                            ></div>
-                    <div id="tx-detail-gasprice" class="text-xs"></div>
+                        </div>
-                </div>
+                    </div>
-                <div id="tx-detail-gasused-section" class="mb-4 hidden">
-                    <div class="text-xs text-muted mb-1">Gas used</div>
-                    <div id="tx-detail-gasused" class="text-xs"></div>
-                </div>
-                <div id="tx-detail-rawdata-section" class="mb-4 hidden">
-                    <div class="text-xs text-muted mb-1">Raw data</div>
-                    <div
-                        id="tx-detail-rawdata"
-                        class="text-xs break-all font-mono border border-border border-dashed p-2"
-                    ></div>
                 </div>
             </div>
 
             <!-- ============ TRANSACTION APPROVAL ============ -->
             <div id="view-approve-tx" class="view hidden">
                 <h2 class="font-bold mb-2">Transaction Request</h2>
+                <div
+                    id="approve-tx-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. This transaction may steal your funds. Proceed
+                    with extreme caution.
+                </div>
                 <p class="mb-2">
                     <span id="approve-tx-hostname" class="font-bold"></span>
                     wants to send a transaction.
@@ -1217,6 +1310,14 @@
             <!-- ============ SIGNATURE APPROVAL ============ -->
             <div id="view-approve-sign" class="view hidden">
                 <h2 class="font-bold mb-2">Signature Request</h2>
+                <div
+                    id="approve-sign-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. Signing this message may authorize theft of your
+                    funds. Proceed with extreme caution.
+                </div>
                 <p class="mb-2">
                     <span id="approve-sign-hostname" class="font-bold"></span>
                     wants you to sign a message.
@@ -1286,6 +1387,14 @@
             <!-- ============ SITE APPROVAL ============ -->
             <div id="view-approve-site" class="view hidden">
                 <h2 class="font-bold mb-2">Connection Request</h2>
+                <div
+                    id="approve-site-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. Connecting your wallet may result in loss of
+                    funds. Proceed with extreme caution.
+                </div>
                 <div class="mb-3">
                     <p class="mb-2">
                         <span id="approve-hostname" class="font-bold"></span>

src/popup/views/approval.js

@@ -13,7 +13,6 @@ const { ERC20_ABI } = require("../../shared/constants");
 const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const txStatus = require("./txStatus");
 const uniswap = require("../../shared/uniswap");
-
 const runtime =
     typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
 
@@ -155,7 +154,24 @@ function decodeCalldata(data, toAddress) {
     return null;
 }
 
+function showPhishingWarning(elementId, isPhishing) {
+    const el = $(elementId);
+    if (!el) return;
+    // The background script performs the authoritative phishing domain check
+    // and passes the result via the isPhishingDomain flag.
+    if (isPhishing) {
+        el.classList.remove("hidden");
+    } else {
+        el.classList.add("hidden");
+    }
+}
+
 function showTxApproval(details) {
+    showPhishingWarning(
+        "approve-tx-phishing-warning",
+        details.isPhishingDomain,
+    );
+
     const toAddr = details.txParams.to;
     const token = toAddr ? TOKEN_BY_ADDRESS.get(toAddr.toLowerCase()) : null;
     const ethValue = formatEther(details.txParams.value || "0");
@@ -323,6 +339,11 @@ function formatTypedDataHtml(jsonStr) {
 }
 
 function showSignApproval(details) {
+    showPhishingWarning(
+        "approve-sign-phishing-warning",
+        details.isPhishingDomain,
+    );
+
     const sp = details.signParams;
 
     $("approve-sign-hostname").textContent = details.hostname;
@@ -382,6 +403,11 @@ function show(id) {
             showSignApproval(details);
             return;
         }
+        // Site connection approval
+        showPhishingWarning(
+            "approve-site-phishing-warning",
+            details.isPhishingDomain,
+        );
         $("approve-hostname").textContent = details.hostname;
         $("approve-address").innerHTML = approvalAddressHtml(
             state.activeAddress,

src/popup/views/confirmTx.js

@@ -25,8 +25,11 @@ const { getSignerForAddress } = require("../../shared/wallet");
 const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
-const { isScamAddress } = require("../../shared/scamlist");
+const {
-const { ERC20_ABI } = require("../../shared/constants");
+    getLocalWarnings,
+    getFullWarnings,
+} = require("../../shared/addressWarnings");
+const { ERC20_ABI, isBurnAddress } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
 const txStatus = require("./txStatus");
@@ -167,23 +170,17 @@ function show(txInfo) {
         $("confirm-balance").textContent = valueWithUsd(bal + " ETH", balUsd);
     }
 
-    // Check for warnings
+    // Check for warnings (synchronous local checks)
-    const warnings = [];
+    const localWarnings = getLocalWarnings(txInfo.to, {
-    if (isScamAddress(txInfo.to)) {
+        fromAddress: txInfo.from,
-        warnings.push(
+    });
-            "This address is on a known scam/fraud list. Do not send funds to this address.",
-        );
-    }
-    if (txInfo.to.toLowerCase() === txInfo.from.toLowerCase()) {
-        warnings.push("You are sending to your own address.");
-    }
 
     const warningsEl = $("confirm-warnings");
-    if (warnings.length > 0) {
+    if (localWarnings.length > 0) {
-        warningsEl.innerHTML = warnings
+        warningsEl.innerHTML = localWarnings
             .map(
                 (w) =>
-                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w}</div>`,
+                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w.message}</div>`,
             )
             .join("");
         warningsEl.style.visibility = "visible";
@@ -247,8 +244,16 @@ function show(txInfo) {
     state.viewData = { pendingTx: txInfo };
     showView("confirm-tx");
 
-    // Reset recipient warning to hidden (space always reserved, no layout shift)
+    // Reset async warnings to hidden (space always reserved, no layout shift)
     $("confirm-recipient-warning").style.visibility = "hidden";
+    $("confirm-contract-warning").style.visibility = "hidden";
+    $("confirm-burn-warning").style.visibility = "hidden";
+    $("confirm-etherscan-warning").style.visibility = "hidden";
+
+    // Show burn warning via reserved element (in addition to inline warning)
+    if (isBurnAddress(txInfo.to)) {
+        $("confirm-burn-warning").style.visibility = "visible";
+    }
 
     estimateGas(txInfo);
     checkRecipientHistory(txInfo);
@@ -295,19 +300,21 @@ async function estimateGas(txInfo) {
 }
 
 async function checkRecipientHistory(txInfo) {
-    const el = $("confirm-recipient-warning");
     try {
         const provider = getProvider(state.rpcUrl);
-        // Skip warning for contract addresses — they may legitimately
+        const asyncWarnings = await getFullWarnings(txInfo.to, provider, {
-        // have zero outgoing transactions (getTransactionCount returns
+            fromAddress: txInfo.from,
-        // the nonce, i.e. sent-tx count only).
+        });
-        const code = await provider.getCode(txInfo.to);
+        for (const w of asyncWarnings) {
-        if (code && code !== "0x") {
+            if (w.type === "contract") {
-            return;
+                $("confirm-contract-warning").style.visibility = "visible";
-        }
+            }
-        const txCount = await provider.getTransactionCount(txInfo.to);
+            if (w.type === "new-address") {
-        if (txCount === 0) {
+                $("confirm-recipient-warning").style.visibility = "visible";
-            el.style.visibility = "visible";
+            }
+            if (w.type === "etherscan-phishing") {
+                $("confirm-etherscan-warning").style.visibility = "visible";
+            }
         }
     } catch (e) {
         log.errorf("recipient history check failed:", e.message);

src/popup/views/transactionDetail.js

@@ -197,6 +197,7 @@ function render() {
         "tx-detail-fee-section",
         "tx-detail-gasprice-section",
         "tx-detail-gasused-section",
+        "tx-detail-network-section",
     ]) {
         const el = $(id);
         if (el) el.classList.add("hidden");
@@ -285,6 +286,21 @@ function populateOnChainDetails(txData) {
         );
     }
 
+    // Show the network details wrapper if any child section is visible
+    const networkWrapper = $("tx-detail-network-section");
+    if (networkWrapper) {
+        const hasVisible = [
+            "tx-detail-nonce-section",
+            "tx-detail-fee-section",
+            "tx-detail-gasprice-section",
+            "tx-detail-gasused-section",
+        ].some((id) => {
+            const el = $(id);
+            return el && !el.classList.contains("hidden");
+        });
+        if (hasVisible) networkWrapper.classList.remove("hidden");
+    }
+
     // Bind copy handlers for newly added elements
     for (const id of [
         "tx-detail-block-section",

src/shared/addressWarnings.js

@@ -0,0 +1,114 @@
+// Address warning module.
+// Provides local and async (RPC-based) warning checks for Ethereum addresses.
+// Returns arrays of {type, message, severity} objects.
+
+const { isScamAddress } = require("./scamlist");
+const { isBurnAddress } = require("./constants");
+const { checkEtherscanLabel } = require("./etherscanLabels");
+const { log } = require("./log");
+
+/**
+ * Check an address against local-only lists (scam, burn, self-send).
+ * Synchronous — no network calls.
+ *
+ * @param {string} address - The target address to check.
+ * @param {object} [options] - Optional context.
+ * @param {string} [options.fromAddress] - Sender address (for self-send check).
+ * @returns {Array<{type: string, message: string, severity: string}>}
+ */
+function getLocalWarnings(address, options = {}) {
+    const warnings = [];
+    const addr = address.toLowerCase();
+
+    if (isScamAddress(addr)) {
+        warnings.push({
+            type: "scam",
+            message:
+                "This address is on a known scam/fraud list. Do not send funds to this address.",
+            severity: "critical",
+        });
+    }
+
+    if (isBurnAddress(addr)) {
+        warnings.push({
+            type: "burn",
+            message:
+                "This is a known null/burn address. Funds sent here are permanently destroyed and cannot be recovered.",
+            severity: "critical",
+        });
+    }
+
+    if (options.fromAddress && addr === options.fromAddress.toLowerCase()) {
+        warnings.push({
+            type: "self-send",
+            message: "You are sending to your own address.",
+            severity: "warning",
+        });
+    }
+
+    return warnings;
+}
+
+/**
+ * Check an address against local lists AND via RPC queries.
+ * Async — performs network calls to check contract status and tx history.
+ *
+ * @param {string} address - The target address to check.
+ * @param {object} provider - An ethers.js provider instance.
+ * @param {object} [options] - Optional context.
+ * @param {string} [options.fromAddress] - Sender address (for self-send check).
+ * @returns {Promise<Array<{type: string, message: string, severity: string}>>}
+ */
+async function getFullWarnings(address, provider, options = {}) {
+    const warnings = getLocalWarnings(address, options);
+
+    let isContract = false;
+    try {
+        const code = await provider.getCode(address);
+        if (code && code !== "0x") {
+            isContract = true;
+            warnings.push({
+                type: "contract",
+                message:
+                    "This address is a smart contract, not a regular wallet.",
+                severity: "warning",
+            });
+        }
+    } catch (e) {
+        log.errorf("contract check failed:", e.message);
+    }
+
+    // Skip tx count check for contracts — they may legitimately have
+    // zero inbound EOA transactions.
+    if (!isContract) {
+        try {
+            const txCount = await provider.getTransactionCount(address);
+            if (txCount === 0) {
+                warnings.push({
+                    type: "new-address",
+                    message:
+                        "This address has never sent a transaction. Double-check it is correct.",
+                    severity: "info",
+                });
+            }
+        } catch (e) {
+            log.errorf("tx count check failed:", e.message);
+        }
+    }
+
+    // Etherscan label check (best-effort async — network failures are silent).
+    // Runs for ALL addresses including contracts, since many dangerous
+    // flagged addresses on Etherscan (drainers, phishing contracts) are contracts.
+    try {
+        const etherscanWarning = await checkEtherscanLabel(address);
+        if (etherscanWarning) {
+            warnings.push(etherscanWarning);
+        }
+    } catch (e) {
+        log.errorf("etherscan label check failed:", e.message);
+    }
+
+    return warnings;
+}
+
+module.exports = { getLocalWarnings, getFullWarnings };

src/shared/constants.js

@@ -20,6 +20,19 @@ const ERC20_ABI = [
     "function approve(address spender, uint256 amount) returns (bool)",
 ];
 
+// Known null/burn addresses that permanently destroy funds.
+const BURN_ADDRESSES = new Set([
+    "0x0000000000000000000000000000000000000000",
+    "0x0000000000000000000000000000000000000001",
+    "0x000000000000000000000000000000000000dead",
+    "0xdead000000000000000000000000000000000000",
+    "0x00000000000000000000000000000000deadbeef",
+]);
+
+function isBurnAddress(address) {
+    return BURN_ADDRESSES.has(address.toLowerCase());
+}
+
 module.exports = {
     DEBUG,
     DEBUG_MNEMONIC,
@@ -28,4 +41,6 @@ module.exports = {
     DEFAULT_BLOCKSCOUT_URL,
     BIP44_ETH_PATH,
     ERC20_ABI,
+    BURN_ADDRESSES,
+    isBurnAddress,
 };

src/shared/etherscanLabels.js

@@ -0,0 +1,102 @@
+// Etherscan address label lookup via page scraping.
+// Extension users make the requests directly to Etherscan — no proxy needed.
+// This is a best-effort enrichment: network failures return null silently.
+
+const ETHERSCAN_BASE = "https://etherscan.io/address/";
+
+// Patterns in the page title that indicate a flagged address.
+// Title format: "Fake_Phishing184810 | Address: 0x... | Etherscan"
+const PHISHING_LABEL_PATTERNS = [/^Fake_Phishing/i, /^Phish:/i, /^Exploiter/i];
+
+// Patterns in the page body that indicate a scam/phishing warning.
+const SCAM_BODY_PATTERNS = [
+    /used in a\s+(?:\w+\s+)?phishing scam/i,
+    /used in a\s+(?:\w+\s+)?scam/i,
+    /wallet\s+drainer/i,
+];
+
+/**
+ * Parse the Etherscan address page HTML to extract label info.
+ * Exported for unit testing (no fetch needed).
+ *
+ * @param {string} html - Raw HTML of the Etherscan address page.
+ * @returns {{ label: string|null, isPhishing: boolean, warning: string|null }}
+ */
+function parseEtherscanPage(html) {
+    // Extract <title> content
+    const titleMatch = html.match(/<title[^>]*>([^<]+)<\/title>/i);
+    let label = null;
+    let isPhishing = false;
+    let warning = null;
+
+    if (titleMatch) {
+        const title = titleMatch[1].trim();
+        // Title: "LABEL | Address: 0x... | Etherscan" or "Address: 0x... | Etherscan"
+        const labelMatch = title.match(/^(.+?)\s*\|\s*Address:/);
+        if (labelMatch) {
+            const candidate = labelMatch[1].trim();
+            // Only treat as a label if it's not just "Address" (unlabeled addresses)
+            if (candidate.toLowerCase() !== "address") {
+                label = candidate;
+            }
+        }
+    }
+
+    // Check label against phishing patterns
+    if (label) {
+        for (const pat of PHISHING_LABEL_PATTERNS) {
+            if (pat.test(label)) {
+                isPhishing = true;
+                warning = `Etherscan labels this address as "${label}" (Phish/Hack).`;
+                break;
+            }
+        }
+    }
+
+    // Check page body for scam warning banners
+    if (!isPhishing) {
+        for (const pat of SCAM_BODY_PATTERNS) {
+            if (pat.test(html)) {
+                isPhishing = true;
+                warning = label
+                    ? `Etherscan labels this address as "${label}" and reports it was used in a scam.`
+                    : "Etherscan reports this address was flagged for phishing/scam activity.";
+                break;
+            }
+        }
+    }
+
+    return { label, isPhishing, warning };
+}
+
+/**
+ * Fetch an address page from Etherscan and check for scam/phishing labels.
+ * Returns a warning object if the address is flagged, or null.
+ * Network failures return null silently (best-effort check).
+ *
+ * @param {string} address - Ethereum address to check.
+ * @returns {Promise<{type: string, message: string, severity: string}|null>}
+ */
+async function checkEtherscanLabel(address) {
+    try {
+        const resp = await fetch(ETHERSCAN_BASE + address, {
+            headers: { Accept: "text/html" },
+        });
+        if (!resp.ok) return null;
+        const html = await resp.text();
+        const result = parseEtherscanPage(html);
+        if (result.isPhishing) {
+            return {
+                type: "etherscan-phishing",
+                message: result.warning,
+                severity: "critical",
+            };
+        }
+        return null;
+    } catch {
+        // Network errors are expected — Etherscan may rate-limit or block.
+        return null;
+    }
+}
+
+module.exports = { parseEtherscanPage, checkEtherscanLabel };

src/shared/phishingDomains.js

@@ -0,0 +1,215 @@
+// Domain-based phishing detection using a vendored blocklist with delta updates.
+//
+// A community-maintained phishing domain blocklist is vendored in
+// phishingBlocklist.json and bundled at build time. At runtime, we fetch
+// the live list periodically and keep only the delta (new entries not in
+// the vendored list) in memory. This keeps runtime memory usage small.
+//
+// The domain-checker checks the in-memory delta first (fresh/recent scam
+// sites), then falls back to the vendored list.
+//
+// If the delta is under 256 KiB it is persisted to localStorage so it
+// survives extension/service-worker restarts.
+
+const vendoredConfig = require("./phishingBlocklist.json");
+
+const BLOCKLIST_URL =
+    "https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/main/src/config.json";
+
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const REFRESH_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const DELTA_STORAGE_KEY = "phishing-delta";
+const MAX_DELTA_BYTES = 256 * 1024; // 256 KiB
+
+// Vendored set — built once from the bundled JSON.
+const vendoredBlacklist = new Set(
+    (vendoredConfig.blacklist || []).map((d) => d.toLowerCase()),
+);
+
+// Delta set — only entries from live list that are NOT in vendored.
+let deltaBlacklist = new Set();
+let lastFetchTime = 0;
+let fetchPromise = null;
+let refreshTimer = null;
+
+/**
+ * Load delta entries from localStorage on startup.
+ * Called once during module initialization in the background script.
+ */
+function loadDeltaFromStorage() {
+    try {
+        const raw = localStorage.getItem(DELTA_STORAGE_KEY);
+        if (!raw) return;
+        const data = JSON.parse(raw);
+        if (data.blacklist && Array.isArray(data.blacklist)) {
+            deltaBlacklist = new Set(
+                data.blacklist.map((d) => d.toLowerCase()),
+            );
+        }
+    } catch {
+        // localStorage unavailable or corrupt — start empty
+    }
+}
+
+/**
+ * Persist delta to localStorage if it fits within MAX_DELTA_BYTES.
+ */
+function saveDeltaToStorage() {
+    try {
+        const data = {
+            blacklist: Array.from(deltaBlacklist),
+        };
+        const json = JSON.stringify(data);
+        if (json.length < MAX_DELTA_BYTES) {
+            localStorage.setItem(DELTA_STORAGE_KEY, json);
+        } else {
+            // Too large — remove stale key if present
+            localStorage.removeItem(DELTA_STORAGE_KEY);
+        }
+    } catch {
+        // localStorage unavailable — skip silently
+    }
+}
+
+/**
+ * Load a pre-parsed config and compute the delta against the vendored list.
+ * Used for both live fetches and testing.
+ *
+ * @param {{ blacklist?: string[] }} config
+ */
+function loadConfig(config) {
+    const liveBlacklist = (config.blacklist || []).map((d) => d.toLowerCase());
+
+    // Delta = entries in the live list that are NOT in the vendored list
+    deltaBlacklist = new Set(
+        liveBlacklist.filter((d) => !vendoredBlacklist.has(d)),
+    );
+
+    lastFetchTime = Date.now();
+    saveDeltaToStorage();
+}
+
+/**
+ * Generate hostname variants for subdomain matching.
+ * "sub.evil.com" yields ["sub.evil.com", "evil.com"].
+ *
+ * @param {string} hostname
+ * @returns {string[]}
+ */
+function hostnameVariants(hostname) {
+    const h = hostname.toLowerCase();
+    const variants = [h];
+    const parts = h.split(".");
+    // Parent domains: a.b.c.d -> b.c.d, c.d
+    for (let i = 1; i < parts.length - 1; i++) {
+        variants.push(parts.slice(i).join("."));
+    }
+    return variants;
+}
+
+/**
+ * Check if a hostname is on the phishing blocklist.
+ * Checks delta first (fresh/recent scam sites), then vendored list.
+ *
+ * @param {string} hostname - The hostname to check.
+ * @returns {boolean}
+ */
+function isPhishingDomain(hostname) {
+    if (!hostname) return false;
+    const variants = hostnameVariants(hostname);
+
+    // Check delta blacklist first (fresh/recent scam sites), then vendored
+    for (const v of variants) {
+        if (deltaBlacklist.has(v) || vendoredBlacklist.has(v)) return true;
+    }
+    return false;
+}
+
+/**
+ * Fetch the latest blocklist and compute delta against vendored data.
+ * De-duplicates concurrent fetches. Results are cached for CACHE_TTL_MS.
+ *
+ * @returns {Promise<void>}
+ */
+async function updatePhishingList() {
+    // Skip if recently fetched
+    if (Date.now() - lastFetchTime < CACHE_TTL_MS && lastFetchTime > 0) {
+        return;
+    }
+
+    // De-duplicate concurrent calls
+    if (fetchPromise) return fetchPromise;
+
+    fetchPromise = (async () => {
+        try {
+            const resp = await fetch(BLOCKLIST_URL);
+            if (!resp.ok) throw new Error("HTTP " + resp.status);
+            const config = await resp.json();
+            loadConfig(config);
+        } catch {
+            // Silently fail — vendored list still provides coverage.
+            // We'll retry next time.
+        } finally {
+            fetchPromise = null;
+        }
+    })();
+
+    return fetchPromise;
+}
+
+/**
+ * Start periodic refresh of the phishing list.
+ * Should be called once from the background script on startup.
+ */
+function startPeriodicRefresh() {
+    if (refreshTimer) return;
+    refreshTimer = setInterval(updatePhishingList, REFRESH_INTERVAL_MS);
+}
+
+/**
+ * Return the total blocklist size (vendored + delta) for diagnostics.
+ *
+ * @returns {number}
+ */
+function getBlocklistSize() {
+    return vendoredBlacklist.size + deltaBlacklist.size;
+}
+
+/**
+ * Return the delta blocklist size for diagnostics.
+ *
+ * @returns {number}
+ */
+function getDeltaSize() {
+    return deltaBlacklist.size;
+}
+
+/**
+ * Reset internal state (for testing).
+ */
+function _reset() {
+    deltaBlacklist = new Set();
+    lastFetchTime = 0;
+    fetchPromise = null;
+    if (refreshTimer) {
+        clearInterval(refreshTimer);
+        refreshTimer = null;
+    }
+}
+
+// Load persisted delta on module initialization
+loadDeltaFromStorage();
+
+module.exports = {
+    isPhishingDomain,
+    updatePhishingList,
+    startPeriodicRefresh,
+    loadConfig,
+    getBlocklistSize,
+    getDeltaSize,
+    hostnameVariants,
+    _reset,
+    // Exposed for testing only
+    _getVendoredBlacklistSize: () => vendoredBlacklist.size,
+    _getDeltaBlacklist: () => deltaBlacklist,
+};

tests/etherscanLabels.test.js

@@ -0,0 +1,100 @@
+const { parseEtherscanPage } = require("../src/shared/etherscanLabels");
+
+describe("etherscanLabels", () => {
+    describe("parseEtherscanPage", () => {
+        test("detects Fake_Phishing label in title", () => {
+            const html = `<html><head><title>Fake_Phishing184810 | Address: 0x00000c07...3ea470000 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Fake_Phishing184810");
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("Fake_Phishing184810");
+            expect(result.warning).toContain("Phish/Hack");
+        });
+
+        test("detects Fake_Phishing with different number", () => {
+            const html = `<html><head><title>Fake_Phishing5169 | Address: 0x3e0defb8...99a7a8a74 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Fake_Phishing5169");
+            expect(result.isPhishing).toBe(true);
+        });
+
+        test("detects Exploiter label", () => {
+            const html = `<html><head><title>Exploiter 42 | Address: 0xabcdef...1234 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Exploiter 42");
+            expect(result.isPhishing).toBe(true);
+        });
+
+        test("detects scam warning in body text", () => {
+            const html =
+                `<html><head><title>Address: 0xabcdef...1234 | Etherscan</title></head>` +
+                `<body>There are reports that this address was used in a Phishing scam.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("phishing/scam");
+        });
+
+        test("detects scam warning with label in body", () => {
+            const html =
+                `<html><head><title>SomeScammer | Address: 0xabcdef...1234 | Etherscan</title></head>` +
+                `<body>There are reports that this address was used in a scam.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("SomeScammer");
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("SomeScammer");
+        });
+
+        test("returns clean result for legitimate address", () => {
+            const html = `<html><head><title>vitalik.eth | Address: 0xd8dA6BF2...37aA96045 | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("vitalik.eth");
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("returns clean result for unlabeled address", () => {
+            const html = `<html><head><title>Address: 0x1234567890...abcdef | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("handles exchange labels correctly (not phishing)", () => {
+            const html = `<html><head><title>Coinbase 10 | Address: 0xa9d1e08c...b81d3e43 | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Coinbase 10");
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("handles contract names correctly (not phishing)", () => {
+            const html = `<html><head><title>Beacon Deposit Contract | Address: 0x00000000...03d7705Fa | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Beacon Deposit Contract");
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("handles empty HTML gracefully", () => {
+            const result = parseEtherscanPage("");
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("handles malformed title tag", () => {
+            const html = `<html><head><title></title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("detects wallet drainer warning", () => {
+            const html =
+                `<html><head><title>Address: 0xabc...def | Etherscan</title></head>` +
+                `<body>This is a known wallet drainer contract.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.isPhishing).toBe(true);
+        });
+    });
+});

tests/phishingDomains.test.js

@@ -0,0 +1,205 @@
+// Provide a localStorage mock for Node.js test environment.
+// Must be set before requiring the module since it calls loadDeltaFromStorage()
+// at module load time.
+const localStorageStore = {};
+global.localStorage = {
+    getItem: (key) =>
+        Object.prototype.hasOwnProperty.call(localStorageStore, key)
+            ? localStorageStore[key]
+            : null,
+    setItem: (key, value) => {
+        localStorageStore[key] = String(value);
+    },
+    removeItem: (key) => {
+        delete localStorageStore[key];
+    },
+};
+
+const {
+    isPhishingDomain,
+    loadConfig,
+    getBlocklistSize,
+    getDeltaSize,
+    hostnameVariants,
+    _reset,
+    _getVendoredBlacklistSize,
+    _getDeltaBlacklist,
+} = require("../src/shared/phishingDomains");
+
+// Reset delta state before each test to avoid cross-test contamination.
+// Note: vendored sets are immutable and always present.
+beforeEach(() => {
+    _reset();
+    // Clear localStorage mock between tests
+    for (const key of Object.keys(localStorageStore)) {
+        delete localStorageStore[key];
+    }
+});
+
+describe("phishingDomains", () => {
+    describe("vendored blocklist", () => {
+        test("vendored blacklist is loaded from bundled JSON", () => {
+            // The vendored blocklist should have a large number of entries
+            expect(_getVendoredBlacklistSize()).toBeGreaterThan(100000);
+        });
+
+        test("detects domains from vendored blacklist", () => {
+            // These are well-known phishing domains in the vendored list
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
+        });
+
+        test("getBlocklistSize includes vendored entries", () => {
+            expect(getBlocklistSize()).toBeGreaterThan(100000);
+        });
+    });
+
+    describe("hostnameVariants", () => {
+        test("returns exact hostname plus parent domains", () => {
+            const variants = hostnameVariants("sub.evil.com");
+            expect(variants).toEqual(["sub.evil.com", "evil.com"]);
+        });
+
+        test("returns just the hostname for a bare domain", () => {
+            const variants = hostnameVariants("example.com");
+            expect(variants).toEqual(["example.com"]);
+        });
+
+        test("handles deep subdomain chains", () => {
+            const variants = hostnameVariants("a.b.c.d.com");
+            expect(variants).toEqual([
+                "a.b.c.d.com",
+                "b.c.d.com",
+                "c.d.com",
+                "d.com",
+            ]);
+        });
+
+        test("lowercases hostnames", () => {
+            const variants = hostnameVariants("Evil.COM");
+            expect(variants).toEqual(["evil.com"]);
+        });
+    });
+
+    describe("delta computation via loadConfig", () => {
+        test("loadConfig computes delta of new entries not in vendored list", () => {
+            loadConfig({
+                blacklist: [
+                    "brand-new-scam-site-xyz123.com",
+                    "hopprotocol.pro", // already in vendored
+                ],
+            });
+            // Only the new domain should be in the delta
+            expect(
+                _getDeltaBlacklist().has("brand-new-scam-site-xyz123.com"),
+            ).toBe(true);
+            expect(_getDeltaBlacklist().has("hopprotocol.pro")).toBe(false);
+            expect(getDeltaSize()).toBe(1);
+        });
+
+        test("re-loading config replaces previous delta", () => {
+            loadConfig({
+                blacklist: ["first-scam-xyz.com"],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(true);
+
+            loadConfig({
+                blacklist: ["second-scam-xyz.com"],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(false);
+            expect(isPhishingDomain("second-scam-xyz.com")).toBe(true);
+        });
+
+        test("getBlocklistSize includes both vendored and delta", () => {
+            const baseSize = getBlocklistSize();
+            loadConfig({
+                blacklist: ["delta-only-scam-xyz.com"],
+            });
+            expect(getBlocklistSize()).toBe(baseSize + 1);
+        });
+    });
+
+    describe("isPhishingDomain with delta + vendored", () => {
+        test("detects domain from delta blacklist", () => {
+            loadConfig({
+                blacklist: ["fresh-scam-xyz.com"],
+            });
+            expect(isPhishingDomain("fresh-scam-xyz.com")).toBe(true);
+        });
+
+        test("detects domain from vendored blacklist", () => {
+            // No delta loaded — vendored still works
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+        });
+
+        test("returns false for clean domains", () => {
+            expect(isPhishingDomain("etherscan.io")).toBe(false);
+            expect(isPhishingDomain("example.com")).toBe(false);
+        });
+
+        test("detects subdomain of blacklisted domain (vendored)", () => {
+            expect(isPhishingDomain("app.hopprotocol.pro")).toBe(true);
+        });
+
+        test("detects subdomain of blacklisted domain (delta)", () => {
+            loadConfig({
+                blacklist: ["delta-phish-xyz.com"],
+            });
+            expect(isPhishingDomain("sub.delta-phish-xyz.com")).toBe(true);
+        });
+
+        test("case-insensitive matching", () => {
+            loadConfig({
+                blacklist: ["Delta-Scam-XYZ.COM"],
+            });
+            expect(isPhishingDomain("delta-scam-xyz.com")).toBe(true);
+            expect(isPhishingDomain("DELTA-SCAM-XYZ.COM")).toBe(true);
+        });
+
+        test("returns false for empty/null hostname", () => {
+            expect(isPhishingDomain("")).toBe(false);
+            expect(isPhishingDomain(null)).toBe(false);
+        });
+
+        test("handles config with no blacklist key", () => {
+            loadConfig({});
+            expect(getDeltaSize()).toBe(0);
+            // Vendored list still works
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+        });
+    });
+
+    describe("localStorage persistence", () => {
+        test("saveDeltaToStorage persists delta under 256KiB", () => {
+            loadConfig({
+                blacklist: ["persisted-scam-xyz.com"],
+            });
+            const stored = localStorage.getItem("phishing-delta");
+            expect(stored).not.toBeNull();
+            const data = JSON.parse(stored);
+            expect(data.blacklist).toContain("persisted-scam-xyz.com");
+        });
+
+        test("delta is cleared on _reset", () => {
+            loadConfig({
+                blacklist: ["temp-scam-xyz.com"],
+            });
+            expect(getDeltaSize()).toBe(1);
+            _reset();
+            expect(getDeltaSize()).toBe(0);
+        });
+    });
+
+    describe("real-world blocklist patterns", () => {
+        test("detects known phishing domains from vendored list", () => {
+            expect(isPhishingDomain("uniswap-trade.web.app")).toBe(true);
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
+        });
+
+        test("does not flag legitimate domains", () => {
+            expect(isPhishingDomain("opensea.io")).toBe(false);
+            expect(isPhishingDomain("etherscan.io")).toBe(false);
+        });
+    });
+});