feat: expand warning types for send confirmation

- Combine MEW darklist (652) and CryptoScamDB (2043) into 2314 scam addresses - Add null/burn address detection with permanent loss warning - Add contract address detection warning (sending directly to contracts) - Unify all warnings into single warnings element (sync + async) - Zero-history warning now uses unified warning system Closes #114
Merge pull request 'feat: show red warning when sending to address with zero tx history' (#98 ) from issue-82-zero-tx-warning into main
2026-02-28 16:11:02 -08:00 · 2026-03-01 00:54:15 +01:00 · 2026-03-01 00:53:45 +01:00 · 2026-03-01 00:53:08 +01:00 · 2026-02-28 15:46:58 -08:00 · 2026-02-28 15:37:27 -08:00
3 changed files with 2417 additions and 25 deletions
--- a/src/popup/index.html
+++ b/src/popup/index.html
@@ -586,6 +586,19 @@
                    <div id="confirm-fee-amount" class="text-xs"></div>
                </div>
                <div id="confirm-warnings" class="mb-2 hidden"></div>
+                <div
+                    id="confirm-recipient-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: The recipient address has ZERO transaction
+                        history. This may indicate a fresh or unused address.
+                        Double-check the address before sending.
+                    </div>
+                </div>
                <div
                    id="confirm-errors"
                    class="mb-2 border border-border border-dashed p-2 hidden"
--- a/src/popup/views/confirmTx.js
+++ b/src/popup/views/confirmTx.js
@@ -24,7 +24,7 @@ const { getSignerForAddress } = require("../../shared/wallet");
 const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
-const { isScamAddress } = require("../../shared/scamlist");
+const { isScamAddress, isNullOrBurnAddress } = require("../../shared/scamlist");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -38,6 +38,28 @@ const EXT_ICON =
    `</svg></span>`;

 let pendingTx = null;
+// Track active warnings so async checks can append without overwriting.
+let activeWarnings = [];
+
+function renderWarnings(el, warnings) {
+    activeWarnings = warnings.slice();
+    if (warnings.length > 0) {
+        el.innerHTML = warnings
+            .map(
+                (w) =>
+                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w}</div>`,
+            )
+            .join("");
+        el.classList.remove("hidden");
+    } else {
+        el.classList.add("hidden");
+    }
+}
+
+function appendWarning(el, message) {
+    activeWarnings.push(message);
+    renderWarnings(el, activeWarnings);
+}

 function restore() {
    const d = state.viewData;
@@ -165,29 +187,24 @@ function show(txInfo) {
        $("confirm-balance").textContent = valueWithUsd(bal + " ETH", balUsd);
    }

-    // Check for warnings
+    // Check for warnings (synchronous checks first, async checks added later)
    const warnings = [];
    if (isScamAddress(txInfo.to)) {
        warnings.push(
            "This address is on a known scam/fraud list. Do not send funds to this address.",
        );
    }
+    if (isNullOrBurnAddress(txInfo.to)) {
+        warnings.push(
+            "This is a null or burn address. Funds sent here will be permanently lost.",
+        );
+    }
    if (txInfo.to.toLowerCase() === txInfo.from.toLowerCase()) {
        warnings.push("You are sending to your own address.");
    }

    const warningsEl = $("confirm-warnings");
-    if (warnings.length > 0) {
-        warningsEl.innerHTML = warnings
-            .map(
-                (w) =>
-                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w}</div>`,
-            )
-            .join("");
-        warningsEl.classList.remove("hidden");
-    } else {
-        warningsEl.classList.add("hidden");
-    }
+    renderWarnings(warningsEl, warnings);

    // Check for errors
    const errors = [];
@@ -243,7 +260,14 @@ function show(txInfo) {
    state.viewData = { pendingTx: txInfo };
    showView("confirm-tx");

+    // Hide the legacy recipient warning element (warnings now unified)
+    const legacyWarningEl = $("confirm-recipient-warning");
+    if (legacyWarningEl) {
+        legacyWarningEl.style.display = "none";
+    }
+
    estimateGas(txInfo);
+    checkRecipientHistory(txInfo);
 }

 async function estimateGas(txInfo) {
@@ -286,6 +310,31 @@ async function estimateGas(txInfo) {
    }
 }

+async function checkRecipientHistory(txInfo) {
+    const warningsEl = $("confirm-warnings");
+    try {
+        const provider = getProvider(state.rpcUrl);
+        const code = await provider.getCode(txInfo.to);
+        if (code && code !== "0x") {
+            // Recipient is a contract address — warn the user
+            appendWarning(
+                warningsEl,
+                "The recipient is a contract address. Sending tokens directly to a contract may result in permanent loss of funds.",
+            );
+            return;
+        }
+        const txCount = await provider.getTransactionCount(txInfo.to);
+        if (txCount === 0) {
+            appendWarning(
+                warningsEl,
+                "The recipient address has ZERO transaction history. This may indicate a fresh or unused address. Double-check the address before sending.",
+            );
+        }
+    } catch (e) {
+        log.errorf("recipient history check failed:", e.message);
+    }
+}
+
 function init(ctx) {
    $("btn-confirm-send").addEventListener("click", async () => {
        const password = $("confirm-tx-password").value;
--- a/src/shared/scamlist.js
+++ b/src/shared/scamlist.js
Author	SHA1	Message	Date
user	f01a662000	feat: expand warning types for send confirmation All checks were successful check / check (push) Successful in 23s Details - Combine MEW darklist (652) and CryptoScamDB (2043) into 2314 scam addresses - Add null/burn address detection with permanent loss warning - Add contract address detection warning (sending directly to contracts) - Unify all warnings into single warnings element (sync + async) - Zero-history warning now uses unified warning system Closes #114	2026-02-28 16:11:02 -08:00
Jeffrey Paul	09c52b2519	Merge pull request 'feat: show red warning when sending to address with zero tx history' (#98 ) from issue-82-zero-tx-warning into main All checks were successful check / check (push) Successful in 8s Details Reviewed-on: #98	2026-03-01 00:54:15 +01:00
Jeffrey Paul	1fb9fade51	Merge branch 'main' into issue-82-zero-tx-warning All checks were successful check / check (push) Successful in 22s Details	2026-03-01 00:53:45 +01:00
Jeffrey Paul	bc04482fb5	Merge pull request 'feat: add xprv wallet import support' (#53 ) from feature/import-xprv into main All checks were successful check / check (push) Successful in 8s Details Reviewed-on: #53	2026-03-01 00:53:08 +01:00
user	045328f3b9	fix: use visibility:hidden/visible instead of CSS transitions for zero-tx warning All checks were successful check / check (push) Successful in 22s Details Remove all CSS transitions, max-height changes, and opacity animations. The warning container always reserves its space with visibility:hidden and switches to visibility:visible when needed. No layout shift ever.	2026-02-28 15:46:58 -08:00
user	576fe3ab15	fix: replace visibility:hidden with smooth collapse for zero-tx warning All checks were successful check / check (push) Successful in 10s Details Instead of permanently reserving space with visibility:hidden, the warning container now uses max-height + opacity transitions. Space is reserved during the async check, then smoothly collapses to 0 if the warning isn't needed. This reclaims ~40px of popup viewport in the common case.	2026-02-28 15:37:27 -08:00
user	8c071ae508	fix: never collapse warning container — always reserve space to prevent layout shift All checks were successful check / check (push) Successful in 10s Details Replace display:none with persistent visibility:hidden so the warning area occupies the same vertical space regardless of API result. This eliminates the layout shift that occurred when the container was collapsed after the recipient history check returned.	2026-02-28 15:26:49 -08:00
user	a3c2b8227a	fix: zero-tx warning layout shift and contract address false positive - Reserve space for the warning upfront using visibility:hidden instead of display:none, preventing layout shift per README policy - Move warning HTML to index.html as a static element rather than injecting dynamically - Skip warning for contract addresses (check getCode first) since getTransactionCount only returns outgoing tx nonce - Collapse reserved space when warning is not needed (address has history, is a contract, or on RPC error)	2026-02-28 15:26:44 -08:00
user	f9f3e7b85a	feat: show red warning when sending to address with zero tx history On the confirm-tx view, asynchronously check the recipient address transaction count via getTransactionCount(). If zero, display a prominent red warning advising the user to double-check the address. Closes #82	2026-02-28 15:26:44 -08:00