refactor: vendor phishing blocklist, delta-only memory model

- Vendor community-maintained phishing domain blocklist into
  src/shared/phishingBlocklist.json (bundled at build time by esbuild)
- Refactor phishingDomains.js: build vendored Sets at module load,
  fetch live list periodically, keep only delta (new entries not in
  vendored) in memory for small runtime footprint
- Domain checker checks delta first (fresh scam sites), then vendored
- Persist delta to localStorage if under 256 KiB
- Load delta from localStorage on startup for instant coverage
- Add startPeriodicRefresh() with 24h setInterval in background script
- Remove dead code: popup's local isPhishingDomain() re-check was inert
  (popup never called updatePhishingList so its blacklistSet was always
  empty); now relies solely on background's authoritative flag
- Remove all competitor name mentions from UI warning text and comments
- Update README: document phishing domain protection architecture,
  update external services list
- Update tests: cover vendored blocklist loading, delta computation,
  localStorage persistence, delta+vendored interaction

Closes #114

README.md

@@ -15,10 +15,12 @@ Hence, a minimally viable ERC20 browser wallet/signer that works cross-platform.
 Everything you need, nothing you don't. We import as few libraries as possible,
 don't implement any crypto, and don't send user-specific data anywhere but a
 (user-configurable) Ethereum RPC endpoint (which defaults to a public node). The
-extension contacts exactly three external services: the configured RPC node for
+extension contacts three user-configurable services: the configured RPC node for
 blockchain interactions, a public CoinDesk API (no API key) for realtime price
 information, and a Blockscout block-explorer API for transaction history and
-token balances. All three endpoints are user-configurable.
+token balances. It also fetches a community-maintained phishing domain blocklist
+periodically and performs best-effort Etherscan address label lookups during
+transaction confirmation.
 
 In the extension is a hardcoded list of the top ERC20 contract addresses. You
 can add any ERC20 contract by contract address if you wish, but the hardcoded
@@ -437,6 +439,10 @@ transitions.
 - **When**: User tapped a transaction row from AddressDetail or AddressToken.
 - **Elements**:
     - "Transaction" heading, "Back" button
+    - Type: transaction classification — one of: Native ETH Transfer, ERC-20
+      Token Transfer, Swap, Token Approval, Contract Call, Contract Creation
+    - Token contract: shown for ERC-20 transfers — color dot + full contract
+      address (tap to copy) + etherscan token link
     - Status: "Success" or "Failed"
     - Time: ISO datetime + relative age in parentheses
     - Amount: value + symbol (bold)
@@ -445,6 +451,11 @@ transitions.
     - To: blockie + color dot + full address (tap to copy) + etherscan link
         - ENS name if available
     - Transaction hash: full hash (tap to copy) + etherscan link
+    - Block: block number (tap to copy) + etherscan block link
+    - Nonce: transaction nonce (tap to copy)
+    - Transaction fee: ETH amount (tap to copy)
+    - Gas price: value in Gwei (tap to copy)
+    - Gas used: integer (tap to copy)
 - **Transitions**:
     - "Back" → **AddressToken** (if `selectedToken` set) or **AddressDetail**
 
@@ -567,14 +578,25 @@ What the extension does NOT do:
 
 - No analytics or telemetry services
 - No token list APIs (user adds tokens manually by contract address)
-- No phishing/blocklist APIs
 - No Infura/Alchemy dependency (any JSON-RPC endpoint works)
 - No backend servers operated by the developer
 
-These three services (RPC endpoint, CoinDesk price API, and Blockscout API) are
+In addition to the three user-configurable services above (RPC endpoint,
-the only external services. All three endpoints are user-configurable. Users who
+CoinDesk price API, and Blockscout API), AutistMask also contacts:
-want maximum privacy can point the RPC and Blockscout URLs at their own
+
-self-hosted instances (price fetching can be disabled in a future version).
+- **Phishing domain blocklist**: A community-maintained phishing domain
+  blocklist is vendored into the extension at build time. At runtime, the
+  extension fetches the live list once every 24 hours to detect newly added
+  domains. Only the delta (domains not already in the vendored list) is kept in
+  memory, keeping runtime memory usage small. The delta is persisted to
+  localStorage if it is under 256 KiB.
+- **Etherscan address labels**: When confirming a transaction, the extension
+  performs a best-effort lookup of the recipient address on Etherscan to check
+  for phishing/scam labels. This is a direct page fetch with no API key; the
+  user's browser makes the request.
+
+Users who want maximum privacy can point the RPC and Blockscout URLs at their
+own self-hosted instances (price fetching can be disabled in a future version).
 
 ### Dependencies
 
@@ -764,6 +786,22 @@ indexes it as a real token transfer.
   designed as a sharp tool — users who understand the risks can configure the
   wallet to show everything unfiltered, unix-style.
 
+#### Phishing Domain Protection
+
+AutistMask protects users from known phishing sites when they connect their
+wallet or approve transactions/signatures. A community-maintained domain
+blocklist is vendored into the extension at build time, providing immediate
+protection without any network requests. At runtime, the extension fetches the
+live list once every 24 hours and keeps only the delta (newly added domains not
+in the vendored list) in memory. This architecture keeps runtime memory usage
+small while ensuring fresh coverage of new phishing domains.
+
+When a dApp on a blocklisted domain requests a wallet connection, transaction
+approval, or signature, the approval popup displays a prominent red warning
+banner alerting the user. The domain checker matches exact hostnames and all
+parent domains (subdomain matching), with whitelist overrides for legitimate
+sites that share a parent domain with a blocklisted entry.
+
 #### Transaction Decoding
 
 When a dApp asks the user to approve a transaction, AutistMask attempts to

src/background/index.js

@@ -15,6 +15,7 @@ const { getSignerForAddress } = require("../shared/wallet");
 const {
     isPhishingDomain,
     updatePhishingList,
+    startPeriodicRefresh,
 } = require("../shared/phishingDomains");
 
 const storageApi =
@@ -575,9 +576,10 @@ async function backgroundRefresh() {
 
 setInterval(backgroundRefresh, BACKGROUND_REFRESH_INTERVAL);
 
-// Fetch the MetaMask eth-phishing-detect domain blocklist on startup.
+// Fetch the phishing domain blocklist delta on startup and refresh every 24h.
-// Refreshes every 24 hours automatically.
+// The vendored blocklist is bundled at build time; this fetches only new entries.
 updatePhishingList();
+startPeriodicRefresh();
 
 // When approval window is closed without a response, treat as rejection
 if (windowsApi && windowsApi.onRemoved) {

src/popup/index.html

@@ -1129,6 +1129,13 @@
                     <div class="text-xs text-muted mb-1">To</div>
                     <div id="tx-detail-to" class="text-xs break-all"></div>
                 </div>
+                <div id="tx-detail-token-contract-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Token contract</div>
+                    <div
+                        id="tx-detail-token-contract"
+                        class="text-xs break-all"
+                    ></div>
+                </div>
                 <div id="tx-detail-calldata-section" class="mb-4 hidden">
                     <div
                         id="tx-detail-calldata-well"
@@ -1149,6 +1156,26 @@
                     <div class="text-xs text-muted mb-1">Transaction hash</div>
                     <div id="tx-detail-hash" class="text-xs break-all"></div>
                 </div>
+                <div id="tx-detail-block-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Block</div>
+                    <div id="tx-detail-block" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-nonce-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Nonce</div>
+                    <div id="tx-detail-nonce" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-fee-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Transaction fee</div>
+                    <div id="tx-detail-fee" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-gasprice-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Gas price</div>
+                    <div id="tx-detail-gasprice" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-gasused-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Gas used</div>
+                    <div id="tx-detail-gasused" class="text-xs"></div>
+                </div>
                 <div id="tx-detail-rawdata-section" class="mb-4 hidden">
                     <div class="text-xs text-muted mb-1">Raw data</div>
                     <div
@@ -1165,7 +1192,7 @@
                     id="approve-tx-phishing-warning"
                     class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
                 >
-                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
                     blocklist. This transaction may steal your funds. Proceed
                     with extreme caution.
                 </div>
@@ -1239,7 +1266,7 @@
                     id="approve-sign-phishing-warning"
                     class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
                 >
-                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
                     blocklist. Signing this message may authorize theft of your
                     funds. Proceed with extreme caution.
                 </div>
@@ -1316,7 +1343,7 @@
                     id="approve-site-phishing-warning"
                     class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
                 >
-                    ⚠️ PHISHING WARNING: This site is on MetaMask's phishing
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
                     blocklist. Connecting your wallet may result in loss of
                     funds. Proceed with extreme caution.
                 </div>

src/popup/views/approval.js

@@ -13,8 +13,6 @@ const { ERC20_ABI } = require("../../shared/constants");
 const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const txStatus = require("./txStatus");
 const uniswap = require("../../shared/uniswap");
-const { isPhishingDomain } = require("../../shared/phishingDomains");
-
 const runtime =
     typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
 
@@ -156,11 +154,12 @@ function decodeCalldata(data, toAddress) {
     return null;
 }
 
-function showPhishingWarning(elementId, hostname, isPhishing) {
+function showPhishingWarning(elementId, isPhishing) {
     const el = $(elementId);
     if (!el) return;
-    // Check both the flag from background and a local re-check
+    // The background script performs the authoritative phishing domain check
-    if (isPhishing || isPhishingDomain(hostname)) {
+    // and passes the result via the isPhishingDomain flag.
+    if (isPhishing) {
         el.classList.remove("hidden");
     } else {
         el.classList.add("hidden");
@@ -170,7 +169,6 @@ function showPhishingWarning(elementId, hostname, isPhishing) {
 function showTxApproval(details) {
     showPhishingWarning(
         "approve-tx-phishing-warning",
-        details.hostname,
         details.isPhishingDomain,
     );
 
@@ -343,7 +341,6 @@ function formatTypedDataHtml(jsonStr) {
 function showSignApproval(details) {
     showPhishingWarning(
         "approve-sign-phishing-warning",
-        details.hostname,
         details.isPhishingDomain,
     );
 
@@ -409,7 +406,6 @@ function show(id) {
         // Site connection approval
         showPhishingWarning(
             "approve-site-phishing-warning",
-            details.hostname,
             details.isPhishingDomain,
         );
         $("approve-hostname").textContent = details.hostname;

src/popup/views/transactionDetail.js

@@ -13,6 +13,7 @@ const {
     timeAgo,
 } = require("./helpers");
 const { state } = require("../../shared/state");
+const { formatEther, formatUnits } = require("ethers");
 const makeBlockie = require("ethereum-blockies-base64");
 const { log, debugFetch } = require("../../shared/log");
 const { decodeCalldata } = require("./approval");
@@ -26,6 +27,25 @@ const EXT_ICON =
 
 let ctx;
 
+/**
+ * Determine a human-readable transaction type string from tx fields.
+ */
+function getTransactionType(tx) {
+    if (!tx.to) return "Contract Creation";
+    if (tx.direction === "contract") {
+        if (tx.directionLabel === "Swap") return "Swap";
+        if (
+            tx.method === "approve" ||
+            tx.directionLabel === "Approve" ||
+            tx.method === "setApprovalForAll"
+        )
+            return "Token Approval";
+        return "Contract Call";
+    }
+    if (tx.symbol && tx.symbol !== "ETH") return "ERC-20 Token Transfer";
+    return "Native ETH Transfer";
+}
+
 function copyableHtml(text, extraClass) {
     const cls =
         "underline decoration-dashed cursor-pointer" +
@@ -99,6 +119,7 @@ function show(tx) {
             direction: tx.direction || null,
             isContractCall: tx.isContractCall || false,
             method: tx.method || null,
+            contractAddress: tx.contractAddress || null,
         },
     };
     render();
@@ -135,30 +156,54 @@ function render() {
         nativeEl.parentElement.classList.add("hidden");
     }
 
-    // Show type label for contract interactions (Swap, Execute, etc.)
+    // Always show transaction type as the first field
     const typeSection = $("tx-detail-type-section");
     const typeEl = $("tx-detail-type");
     const headingEl = $("tx-detail-heading");
-    if (tx.direction === "contract" && tx.directionLabel) {
+    if (typeSection && typeEl) {
-        if (typeSection) {
+        typeEl.textContent = getTransactionType(tx);
-            typeEl.textContent = tx.directionLabel;
+        typeSection.classList.remove("hidden");
-            typeSection.classList.remove("hidden");
-        }
-    } else {
-        if (typeSection) typeSection.classList.add("hidden");
     }
     if (headingEl) headingEl.textContent = "Transaction";
 
-    // Hide calldata and raw data sections; re-fetch if this is a contract call
+    // Token contract address (for ERC-20 transfers)
+    const tokenContractSection = $("tx-detail-token-contract-section");
+    const tokenContractEl = $("tx-detail-token-contract");
+    if (tokenContractSection && tokenContractEl) {
+        if (tx.contractAddress) {
+            const dot = addressDotHtml(tx.contractAddress);
+            const link = `https://etherscan.io/token/${tx.contractAddress}`;
+            tokenContractEl.innerHTML =
+                `<div class="flex items-center">${dot}` +
+                copyableHtml(tx.contractAddress, "break-all") +
+                etherscanLinkHtml(link) +
+                `</div>`;
+            tokenContractSection.classList.remove("hidden");
+        } else {
+            tokenContractSection.classList.add("hidden");
+        }
+    }
+
+    // Hide calldata and raw data sections; always fetch full tx details
     const calldataSection = $("tx-detail-calldata-section");
     if (calldataSection) calldataSection.classList.add("hidden");
     const rawDataSection = $("tx-detail-rawdata-section");
     if (rawDataSection) rawDataSection.classList.add("hidden");
 
-    if (tx.isContractCall || tx.direction === "contract") {
+    // Hide on-chain detail sections until populated
-        loadCalldata(tx.hash, tx.to);
+    for (const id of [
+        "tx-detail-block-section",
+        "tx-detail-nonce-section",
+        "tx-detail-fee-section",
+        "tx-detail-gasprice-section",
+        "tx-detail-gasused-section",
+    ]) {
+        const el = $(id);
+        if (el) el.classList.add("hidden");
     }
 
+    loadFullTxDetails(tx.hash, tx.to, tx.isContractCall);
+
     const isoStr = isoDate(tx.timestamp);
     $("tx-detail-time").innerHTML =
         copyableHtml(isoStr) + " (" + escapeHtml(timeAgo(tx.timestamp)) + ")";
@@ -177,7 +222,90 @@ function render() {
         });
 }
 
-async function loadCalldata(txHash, toAddress) {
+function showDetailField(sectionId, contentId, value) {
+    const section = $(sectionId);
+    const el = $(contentId);
+    if (!section || !el) return;
+    el.innerHTML = copyableHtml(value, "");
+    section.classList.remove("hidden");
+}
+
+function populateOnChainDetails(txData) {
+    // Block number
+    if (txData.block_number != null) {
+        const blockLink = `https://etherscan.io/block/${txData.block_number}`;
+        const blockSection = $("tx-detail-block-section");
+        const blockEl = $("tx-detail-block");
+        if (blockSection && blockEl) {
+            blockEl.innerHTML =
+                copyableHtml(String(txData.block_number), "") +
+                etherscanLinkHtml(blockLink);
+            blockSection.classList.remove("hidden");
+        }
+    }
+
+    // Nonce
+    if (txData.nonce != null) {
+        showDetailField(
+            "tx-detail-nonce-section",
+            "tx-detail-nonce",
+            String(txData.nonce),
+        );
+    }
+
+    // Transaction fee
+    const feeWei = txData.fee?.value || txData.tx_fee;
+    if (feeWei) {
+        const feeEth = formatEther(String(feeWei));
+        showDetailField(
+            "tx-detail-fee-section",
+            "tx-detail-fee",
+            feeEth + " ETH",
+        );
+    }
+
+    // Gas price
+    const gasPrice = txData.gas_price;
+    if (gasPrice) {
+        const gwei = formatUnits(String(gasPrice), "gwei");
+        showDetailField(
+            "tx-detail-gasprice-section",
+            "tx-detail-gasprice",
+            gwei + " Gwei",
+        );
+    }
+
+    // Gas used
+    const gasUsed = txData.gas_used;
+    if (gasUsed) {
+        showDetailField(
+            "tx-detail-gasused-section",
+            "tx-detail-gasused",
+            String(gasUsed),
+        );
+    }
+
+    // Bind copy handlers for newly added elements
+    for (const id of [
+        "tx-detail-block-section",
+        "tx-detail-nonce-section",
+        "tx-detail-fee-section",
+        "tx-detail-gasprice-section",
+        "tx-detail-gasused-section",
+    ]) {
+        const section = $(id);
+        if (!section) continue;
+        section.querySelectorAll("[data-copy]").forEach((el) => {
+            el.onclick = () => {
+                navigator.clipboard.writeText(el.dataset.copy);
+                showFlash("Copied!");
+                flashCopyFeedback(el);
+            };
+        });
+    }
+}
+
+async function loadFullTxDetails(txHash, toAddress, isContractCall) {
     const section = $("tx-detail-calldata-section");
     const actionEl = $("tx-detail-calldata-action");
     const detailsEl = $("tx-detail-calldata-details");
@@ -192,6 +320,10 @@ async function loadCalldata(txHash, toAddress) {
         );
         if (!resp.ok) return;
         const txData = await resp.json();
+
+        // Populate on-chain detail fields (block, nonce, gas, fee)
+        populateOnChainDetails(txData);
+
         const inputData = txData.raw_input || txData.input || null;
         if (!inputData || inputData === "0x") return;
 

src/shared/phishingDomains.js

@@ -1,68 +1,106 @@
-// Domain-based phishing detection using MetaMask's eth-phishing-detect blocklist.
+// Domain-based phishing detection using a vendored blocklist with delta updates.
 //
-// Architecture:
+// A community-maintained phishing domain blocklist is vendored in
-//   1. A vendored copy of the blocklist ships with the extension
+// phishingBlocklist.json and bundled at build time. At runtime, we fetch
-//      (src/data/phishing-domains.json — sorted blacklist for binary search).
+// the live list periodically and keep only the delta (new entries not in
-//   2. Every 24h we fetch the latest list from MetaMask's repo and compute
+// the vendored list) in memory. This keeps runtime memory usage small.
-//      the delta (new domains not in the vendored snapshot).
-//   3. Only the delta is kept in memory / persisted to chrome.storage.local.
-//   4. Domain checks hit the delta first (fresh scam sites), then the
-//      vendored baseline via binary search.
 //
-// Source: https://github.com/MetaMask/eth-phishing-detect (src/config.json)
+// The domain-checker checks the in-memory delta first (fresh/recent scam
+// sites), then falls back to the vendored list.
+//
+// If the delta is under 256 KiB it is persisted to localStorage so it
+// survives extension/service-worker restarts.
 
-const vendoredConfig = require("../data/phishing-domains.json");
+const vendoredConfig = require("./phishingBlocklist.json");
 
 const BLOCKLIST_URL =
     "https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/main/src/config.json";
 
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
-const DELTA_STORAGE_KEY = "phishing_domain_delta";
+const REFRESH_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
-const DELTA_MAX_BYTES = 256 * 1024; // 256 KiB
+const DELTA_STORAGE_KEY = "phishing-delta";
+const MAX_DELTA_BYTES = 256 * 1024; // 256 KiB
 
-// Vendored baseline — sorted arrays for binary search (no extra Set needed).
+// Vendored sets — built once from the bundled JSON.
-const vendoredBlacklist = vendoredConfig.blacklist; // pre-sorted lowercase
+const vendoredBlacklist = new Set(
+    (vendoredConfig.blacklist || []).map((d) => d.toLowerCase()),
+);
 const vendoredWhitelist = new Set(
     (vendoredConfig.whitelist || []).map((d) => d.toLowerCase()),
 );
 
-// Delta state — only domains added upstream since the vendored snapshot.
+// Delta sets — only entries from live list that are NOT in vendored.
-let deltaBlacklistSet = new Set();
+let deltaBlacklist = new Set();
-let deltaWhitelistSet = new Set();
+let deltaWhitelist = new Set();
 let lastFetchTime = 0;
 let fetchPromise = null;
-let persistedDeltaLoaded = false;
+let refreshTimer = null;
 
 /**
- * Normalize a domain entry: lowercase and strip wildcard prefix ("*.").
+ * Load delta entries from localStorage on startup.
- * Wildcard domains like "*.evil.com" become "evil.com" — our subdomain
+ * Called once during module initialization in the background script.
- * matching in hostnameVariants() already covers child domains.
- *
- * @param {string} domain
- * @returns {string}
  */
-function normalizeDomain(domain) {
+function loadDeltaFromStorage() {
-    const d = domain.toLowerCase();
+    try {
-    return d.startsWith("*.") ? d.slice(2) : d;
+        const raw = localStorage.getItem(DELTA_STORAGE_KEY);
+        if (!raw) return;
+        const data = JSON.parse(raw);
+        if (data.blacklist && Array.isArray(data.blacklist)) {
+            deltaBlacklist = new Set(
+                data.blacklist.map((d) => d.toLowerCase()),
+            );
+        }
+        if (data.whitelist && Array.isArray(data.whitelist)) {
+            deltaWhitelist = new Set(
+                data.whitelist.map((d) => d.toLowerCase()),
+            );
+        }
+    } catch {
+        // localStorage unavailable or corrupt — start empty
+    }
 }
 
 /**
- * Binary search on a sorted string array.
+ * Persist delta to localStorage if it fits within MAX_DELTA_BYTES.
- *
- * @param {string[]} sorted - Sorted array of lowercase strings.
- * @param {string} target - Lowercase string to find.
- * @returns {boolean}
  */
-function binarySearch(sorted, target) {
+function saveDeltaToStorage() {
-    let lo = 0;
+    try {
-    let hi = sorted.length - 1;
+        const data = {
-    while (lo <= hi) {
+            blacklist: Array.from(deltaBlacklist),
-        const mid = (lo + hi) >>> 1;
+            whitelist: Array.from(deltaWhitelist),
-        if (sorted[mid] === target) return true;
+        };
-        if (sorted[mid] < target) lo = mid + 1;
+        const json = JSON.stringify(data);
-        else hi = mid - 1;
+        if (json.length < MAX_DELTA_BYTES) {
+            localStorage.setItem(DELTA_STORAGE_KEY, json);
+        } else {
+            // Too large — remove stale key if present
+            localStorage.removeItem(DELTA_STORAGE_KEY);
+        }
+    } catch {
+        // localStorage unavailable — skip silently
     }
-    return false;
+}
+
+/**
+ * Load a pre-parsed config and compute the delta against the vendored list.
+ * Used for both live fetches and testing.
+ *
+ * @param {{ blacklist?: string[], whitelist?: string[] }} config
+ */
+function loadConfig(config) {
+    const liveBlacklist = (config.blacklist || []).map((d) => d.toLowerCase());
+    const liveWhitelist = (config.whitelist || []).map((d) => d.toLowerCase());
+
+    // Delta = entries in the live list that are NOT in the vendored list
+    deltaBlacklist = new Set(
+        liveBlacklist.filter((d) => !vendoredBlacklist.has(d)),
+    );
+    deltaWhitelist = new Set(
+        liveWhitelist.filter((d) => !vendoredWhitelist.has(d)),
+    );
+
+    lastFetchTime = Date.now();
+    saveDeltaToStorage();
 }
 
 /**
@@ -76,6 +114,7 @@ function hostnameVariants(hostname) {
     const h = hostname.toLowerCase();
     const variants = [h];
     const parts = h.split(".");
+    // Parent domains: a.b.c.d -> b.c.d, c.d
     for (let i = 1; i < parts.length - 1; i++) {
         variants.push(parts.slice(i).join("."));
     }
@@ -84,8 +123,8 @@ function hostnameVariants(hostname) {
 
 /**
  * Check if a hostname is on the phishing blocklist.
- * Checks delta (fresh additions) first, then vendored baseline.
+ * Checks delta first (fresh/recent scam sites), then vendored list.
- * Whitelisted domains (vendored + delta) are never flagged.
+ * Whitelisted domains (delta + vendored) are never flagged.
  *
  * @param {string} hostname - The hostname to check.
  * @returns {boolean}
@@ -94,107 +133,27 @@ function isPhishingDomain(hostname) {
     if (!hostname) return false;
     const variants = hostnameVariants(hostname);
 
-    // Whitelist takes priority (both vendored and delta)
+    // Whitelist takes priority — check delta whitelist first, then vendored
     for (const v of variants) {
-        if (vendoredWhitelist.has(v) || deltaWhitelistSet.has(v)) return false;
+        if (deltaWhitelist.has(v) || vendoredWhitelist.has(v)) return false;
     }
 
-    // Check delta first — fresh scam sites hit here
+    // Check delta blacklist first (fresh/recent scam sites), then vendored
     for (const v of variants) {
-        if (deltaBlacklistSet.has(v)) return true;
+        if (deltaBlacklist.has(v) || vendoredBlacklist.has(v)) return true;
     }
-
-    // Check vendored baseline via binary search
-    for (const v of variants) {
-        if (binarySearch(vendoredBlacklist, v)) return true;
-    }
-
     return false;
 }
 
 /**
- * Get the storage API if available (chrome.storage.local / browser.storage.local).
+ * Fetch the latest blocklist and compute delta against vendored data.
- *
+ * De-duplicates concurrent fetches. Results are cached for CACHE_TTL_MS.
- * @returns {object|null}
- */
-function getStorageApi() {
-    if (typeof browser !== "undefined" && browser.storage) {
-        return browser.storage.local;
-    }
-    if (typeof chrome !== "undefined" && chrome.storage) {
-        return chrome.storage.local;
-    }
-    return null;
-}
-
-/**
- * Load persisted delta from chrome.storage.local.
- * Called once on first update to restore delta across restarts.
- *
- * @returns {Promise<void>}
- */
-async function loadPersistedDelta() {
-    const storage = getStorageApi();
-    if (!storage) return;
-
-    try {
-        const result = await storage.get(DELTA_STORAGE_KEY);
-        const data = result[DELTA_STORAGE_KEY];
-        if (data && data.blacklist && data.whitelist) {
-            deltaBlacklistSet = new Set(data.blacklist);
-            deltaWhitelistSet = new Set(data.whitelist);
-            if (data.fetchTime) {
-                lastFetchTime = data.fetchTime;
-            }
-        }
-    } catch {
-        // Storage unavailable or corrupted — start fresh.
-    }
-    persistedDeltaLoaded = true;
-}
-
-/**
- * Persist the current delta to chrome.storage.local if it fits in 256 KiB.
- *
- * @returns {Promise<void>}
- */
-async function persistDelta() {
-    const storage = getStorageApi();
-    if (!storage) return;
-
-    const data = {
-        blacklist: Array.from(deltaBlacklistSet),
-        whitelist: Array.from(deltaWhitelistSet),
-        fetchTime: lastFetchTime,
-    };
-
-    const serialized = JSON.stringify(data);
-    if (serialized.length > DELTA_MAX_BYTES) {
-        // Delta too large to persist — keep in memory only.
-        return;
-    }
-
-    try {
-        await storage.set({ [DELTA_STORAGE_KEY]: data });
-    } catch {
-        // Storage write failed — non-fatal.
-    }
-}
-
-/**
- * Fetch the latest blocklist, compute delta against vendored baseline,
- * and update in-memory state.  De-duplicates concurrent fetches.
  *
  * @returns {Promise<void>}
  */
 async function updatePhishingList() {
-    // Load persisted delta on first call
-    if (!persistedDeltaLoaded) {
-        await loadPersistedDelta();
-    }
-
     // Skip if recently fetched
-    if (Date.now() - lastFetchTime < CACHE_TTL_MS) {
+    if (Date.now() - lastFetchTime < CACHE_TTL_MS && lastFetchTime > 0) {
         return;
     }
 
@@ -206,32 +165,10 @@ async function updatePhishingList() {
             const resp = await fetch(BLOCKLIST_URL);
             if (!resp.ok) throw new Error("HTTP " + resp.status);
             const config = await resp.json();
-
+            loadConfig(config);
-            // Compute blacklist delta: remote items not in vendored baseline
-            const newDeltaBl = new Set();
-            for (const domain of config.blacklist || []) {
-                const d = normalizeDomain(domain);
-                if (!binarySearch(vendoredBlacklist, d)) {
-                    newDeltaBl.add(d);
-                }
-            }
-
-            // Compute whitelist delta: remote items not in vendored whitelist
-            const newDeltaWl = new Set();
-            for (const domain of config.whitelist || []) {
-                const d = normalizeDomain(domain);
-                if (!vendoredWhitelist.has(d)) {
-                    newDeltaWl.add(d);
-                }
-            }
-
-            deltaBlacklistSet = newDeltaBl;
-            deltaWhitelistSet = newDeltaWl;
-            lastFetchTime = Date.now();
-
-            await persistDelta();
         } catch {
-            // Fetch failed — keep existing delta, retry next time.
+            // Silently fail — vendored list still provides coverage.
+            // We'll retry next time.
         } finally {
             fetchPromise = null;
         }
@@ -241,57 +178,61 @@ async function updatePhishingList() {
 }
 
 /**
- * Load a pre-parsed config directly into state (vendored + delta combined).
+ * Start periodic refresh of the phishing list.
- * Used for testing.
+ * Should be called once from the background script on startup.
- *
- * @param {{ blacklist?: string[], whitelist?: string[] }} config
  */
-function loadConfig(config) {
+function startPeriodicRefresh() {
-    // For tests: treat the entire config as delta (overlaid on vendored).
+    if (refreshTimer) return;
-    // Clear existing delta first.
+    refreshTimer = setInterval(updatePhishingList, REFRESH_INTERVAL_MS);
-    deltaBlacklistSet = new Set((config.blacklist || []).map(normalizeDomain));
-    deltaWhitelistSet = new Set((config.whitelist || []).map(normalizeDomain));
-    lastFetchTime = Date.now();
-    persistedDeltaLoaded = true;
 }
 
 /**
- * Return total blocklist size (vendored + delta, for diagnostics).
+ * Return the total blocklist size (vendored + delta) for diagnostics.
  *
  * @returns {number}
  */
 function getBlocklistSize() {
-    return vendoredBlacklist.length + deltaBlacklistSet.size;
+    return vendoredBlacklist.size + deltaBlacklist.size;
 }
 
 /**
- * Return delta size (for diagnostics).
+ * Return the delta blocklist size for diagnostics.
  *
  * @returns {number}
  */
 function getDeltaSize() {
-    return deltaBlacklistSet.size;
+    return deltaBlacklist.size;
 }
 
 /**
  * Reset internal state (for testing).
  */
 function _reset() {
-    deltaBlacklistSet = new Set();
+    deltaBlacklist = new Set();
-    deltaWhitelistSet = new Set();
+    deltaWhitelist = new Set();
     lastFetchTime = 0;
     fetchPromise = null;
-    persistedDeltaLoaded = false;
+    if (refreshTimer) {
+        clearInterval(refreshTimer);
+        refreshTimer = null;
+    }
 }
 
+// Load persisted delta on module initialization
+loadDeltaFromStorage();
+
 module.exports = {
     isPhishingDomain,
     updatePhishingList,
+    startPeriodicRefresh,
     loadConfig,
     getBlocklistSize,
     getDeltaSize,
     hostnameVariants,
-    binarySearch,
-    normalizeDomain,
     _reset,
+    // Exposed for testing only
+    _getVendoredBlacklistSize: () => vendoredBlacklist.size,
+    _getVendoredWhitelistSize: () => vendoredWhitelist.size,
+    _getDeltaBlacklist: () => deltaBlacklist,
+    _getDeltaWhitelist: () => deltaWhitelist,
 };

src/shared/transactions.js

@@ -153,24 +153,38 @@ async function fetchRecentTransactions(address, blockscoutUrl, count = 25) {
 
     // When a token transfer shares a hash with a normal tx, the normal tx
     // is the contract call (0 ETH) and the token transfer has the real
-    // amount and symbol.  A single transaction (e.g. a swap) can produce
+    // amount and symbol.  For contract calls (swaps), a single transaction
-    // multiple token transfers (one per token involved), so we key token
+    // can produce multiple token transfers (input, intermediates, output).
-    // transfers by hash + contract address to keep all of them.  We also
+    // We consolidate these into the original tx entry using the token
-    // preserve contract-call metadata (direction, label, method) from the
+    // transfer where the user *receives* tokens (the swap output), so
-    // matching normal tx so swaps display correctly.
+    // the transaction list shows the final result rather than confusing
+    // intermediate hops.  We preserve the original tx's from/to so the
+    // user sees their own address, not a router or Permit2 contract.
     for (const tt of ttJson.items || []) {
         const parsed = parseTokenTransfer(tt, addrLower);
         const existing = txsByHash.get(parsed.hash);
         if (existing && existing.direction === "contract") {
-            parsed.direction = "contract";
+            // For contract calls (swaps), consolidate into the original
-            parsed.directionLabel = existing.directionLabel;
+            // tx entry.  Prefer the "received" transfer (swap output)
-            parsed.isContractCall = true;
+            // for the display amount.  If no received transfer exists,
-            parsed.method = existing.method;
+            // fall back to the first "sent" transfer (swap input).
-            // Remove the bare-hash normal tx so it doesn't appear as a
+            const isReceived = parsed.direction === "received";
-            // duplicate with empty value; token transfers replace it.
+            const needsAmount = !existing.exactValue;
-            txsByHash.delete(parsed.hash);
+            if (isReceived || needsAmount) {
+                existing.value = parsed.value;
+                existing.exactValue = parsed.exactValue;
+                existing.rawAmount = parsed.rawAmount;
+                existing.rawUnit = parsed.rawUnit;
+                existing.symbol = parsed.symbol;
+                existing.contractAddress = parsed.contractAddress;
+                existing.holders = parsed.holders;
+            }
+            // Keep the original tx's from/to (the user's address and the
+            // contract they called), not the token transfer's from/to
+            // which may be a router or Permit2 contract.
+            continue;
         }
-        // Use composite key so multiple token transfers per tx are kept.
+        // Non-contract token transfers get their own entries.
         const ttKey = parsed.hash + ":" + (parsed.contractAddress || "");
         txsByHash.set(ttKey, parsed);
     }

src/shared/uniswap.js

@@ -359,9 +359,12 @@ function decode(data, toAddress) {
                     const s = decodeV3SwapExactIn(inputs[i]);
                     if (s) {
                         if (!inputToken) inputToken = s.tokenIn;
-                        if (!outputToken) outputToken = s.tokenOut;
                         if (!inputAmount) inputAmount = s.amountIn;
-                        if (!minOutput) minOutput = s.amountOutMin;
+                        // Always update output: in multi-step swaps (V3 → V4),
+                        // the last swap step determines the final output token
+                        // and minimum received amount.
+                        outputToken = s.tokenOut;
+                        minOutput = s.amountOutMin;
                     }
                 }
 
@@ -369,9 +372,9 @@ function decode(data, toAddress) {
                     const s = decodeV2SwapExactIn(inputs[i]);
                     if (s) {
                         if (!inputToken) inputToken = s.tokenIn;
-                        if (!outputToken) outputToken = s.tokenOut;
                         if (!inputAmount) inputAmount = s.amountIn;
-                        if (!minOutput) minOutput = s.amountOutMin;
+                        outputToken = s.tokenOut;
+                        minOutput = s.amountOutMin;
                     }
                 }
 
@@ -388,12 +391,11 @@ function decode(data, toAddress) {
                     const v4 = decodeV4Swap(inputs[i]);
                     if (v4) {
                         if (!inputToken && v4.tokenIn) inputToken = v4.tokenIn;
-                        if (!outputToken && v4.tokenOut)
-                            outputToken = v4.tokenOut;
                         if (!inputAmount && v4.amountIn)
                             inputAmount = v4.amountIn;
-                        if (!minOutput && v4.amountOutMin)
+                        // Always update output: last swap step wins
-                            minOutput = v4.amountOutMin;
+                        if (v4.tokenOut) outputToken = v4.tokenOut;
+                        if (v4.amountOutMin) minOutput = v4.amountOutMin;
                     }
                 }
 

tests/phishingDomains.test.js

@@ -1,21 +1,70 @@
+// Provide a localStorage mock for Node.js test environment.
+// Must be set before requiring the module since it calls loadDeltaFromStorage()
+// at module load time.
+const localStorageStore = {};
+global.localStorage = {
+    getItem: (key) =>
+        Object.prototype.hasOwnProperty.call(localStorageStore, key)
+            ? localStorageStore[key]
+            : null,
+    setItem: (key, value) => {
+        localStorageStore[key] = String(value);
+    },
+    removeItem: (key) => {
+        delete localStorageStore[key];
+    },
+};
+
 const {
     isPhishingDomain,
     loadConfig,
     getBlocklistSize,
     getDeltaSize,
     hostnameVariants,
-    binarySearch,
-    normalizeDomain,
     _reset,
+    _getVendoredBlacklistSize,
+    _getVendoredWhitelistSize,
+    _getDeltaBlacklist,
+    _getDeltaWhitelist,
 } = require("../src/shared/phishingDomains");
 
-// The vendored baseline is loaded automatically via require().
+// Reset delta state before each test to avoid cross-test contamination.
-// _reset() clears only the delta state, not the vendored baseline.
+// Note: vendored sets are immutable and always present.
 beforeEach(() => {
     _reset();
+    // Clear localStorage mock between tests
+    for (const key of Object.keys(localStorageStore)) {
+        delete localStorageStore[key];
+    }
 });
 
 describe("phishingDomains", () => {
+    describe("vendored blocklist", () => {
+        test("vendored blacklist is loaded from bundled JSON", () => {
+            // The vendored blocklist should have a large number of entries
+            expect(_getVendoredBlacklistSize()).toBeGreaterThan(100000);
+        });
+
+        test("vendored whitelist is loaded from bundled JSON", () => {
+            expect(_getVendoredWhitelistSize()).toBeGreaterThan(0);
+        });
+
+        test("detects domains from vendored blacklist", () => {
+            // These are well-known phishing domains in the vendored list
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
+        });
+
+        test("vendored whitelist overrides vendored blacklist", () => {
+            // opensea.pro is whitelisted in the vendored config
+            expect(isPhishingDomain("opensea.pro")).toBe(false);
+        });
+
+        test("getBlocklistSize includes vendored entries", () => {
+            expect(getBlocklistSize()).toBeGreaterThan(100000);
+        });
+    });
+
     describe("hostnameVariants", () => {
         test("returns exact hostname plus parent domains", () => {
             const variants = hostnameVariants("sub.evil.com");
@@ -43,205 +92,168 @@ describe("phishingDomains", () => {
         });
     });
 
-    describe("binarySearch", () => {
+    describe("delta computation via loadConfig", () => {
-        const sorted = ["alpha.com", "beta.com", "gamma.com", "zeta.com"];
+        test("loadConfig computes delta of new entries not in vendored list", () => {
-
-        test("finds existing elements", () => {
-            expect(binarySearch(sorted, "alpha.com")).toBe(true);
-            expect(binarySearch(sorted, "gamma.com")).toBe(true);
-            expect(binarySearch(sorted, "zeta.com")).toBe(true);
-        });
-
-        test("returns false for missing elements", () => {
-            expect(binarySearch(sorted, "aaa.com")).toBe(false);
-            expect(binarySearch(sorted, "delta.com")).toBe(false);
-            expect(binarySearch(sorted, "zzz.com")).toBe(false);
-        });
-
-        test("handles empty array", () => {
-            expect(binarySearch([], "anything")).toBe(false);
-        });
-
-        test("handles single-element array", () => {
-            expect(binarySearch(["only.com"], "only.com")).toBe(true);
-            expect(binarySearch(["only.com"], "other.com")).toBe(false);
-        });
-    });
-
-    describe("normalizeDomain", () => {
-        test("strips *. wildcard prefix", () => {
-            expect(normalizeDomain("*.evil.com")).toBe("evil.com");
-            expect(normalizeDomain("*.sub.evil.com")).toBe("sub.evil.com");
-        });
-
-        test("lowercases domains", () => {
-            expect(normalizeDomain("Evil.COM")).toBe("evil.com");
-            expect(normalizeDomain("*.Evil.COM")).toBe("evil.com");
-        });
-
-        test("passes through normal domains unchanged", () => {
-            expect(normalizeDomain("example.com")).toBe("example.com");
-        });
-    });
-
-    describe("wildcard domain handling", () => {
-        test("wildcard blacklist entries match via loadConfig", () => {
             loadConfig({
-                blacklist: ["*.scam-site.com", "normal-scam.com"],
+                blacklist: [
+                    "brand-new-scam-site-xyz123.com",
+                    "hopprotocol.pro", // already in vendored
+                ],
                 whitelist: [],
             });
-            // *.scam-site.com is normalized to scam-site.com
+            // Only the new domain should be in the delta
-            expect(isPhishingDomain("scam-site.com")).toBe(true);
+            expect(
-            expect(isPhishingDomain("sub.scam-site.com")).toBe(true);
+                _getDeltaBlacklist().has("brand-new-scam-site-xyz123.com"),
-            expect(isPhishingDomain("normal-scam.com")).toBe(true);
+            ).toBe(true);
+            expect(_getDeltaBlacklist().has("hopprotocol.pro")).toBe(false);
+            expect(getDeltaSize()).toBe(1);
+        });
+
+        test("delta whitelist entries are computed correctly", () => {
+            loadConfig({
+                blacklist: [],
+                whitelist: [
+                    "new-safe-site-xyz789.com",
+                    "opensea.pro", // already in vendored whitelist
+                ],
+            });
+            expect(_getDeltaWhitelist().has("new-safe-site-xyz789.com")).toBe(
+                true,
+            );
+            expect(_getDeltaWhitelist().has("opensea.pro")).toBe(false);
+        });
+
+        test("re-loading config replaces previous delta", () => {
+            loadConfig({
+                blacklist: ["first-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(true);
+
+            loadConfig({
+                blacklist: ["second-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(false);
+            expect(isPhishingDomain("second-scam-xyz.com")).toBe(true);
+        });
+
+        test("getBlocklistSize includes both vendored and delta", () => {
+            const baseSize = getBlocklistSize();
+            loadConfig({
+                blacklist: ["delta-only-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(getBlocklistSize()).toBe(baseSize + 1);
         });
     });
 
-    describe("vendored baseline detection", () => {
+    describe("isPhishingDomain with delta + vendored", () => {
-        // These tests verify that the vendored phishing-domains.json
+        test("detects domain from delta blacklist", () => {
-        // is loaded and searchable without any delta loaded.
+            loadConfig({
-
+                blacklist: ["fresh-scam-xyz.com"],
-        test("getBlocklistSize reflects vendored list (no delta)", () => {
+                whitelist: [],
-            // The vendored list has 231k+ domains; delta is empty after reset.
+            });
-            expect(getBlocklistSize()).toBeGreaterThan(200000);
+            expect(isPhishingDomain("fresh-scam-xyz.com")).toBe(true);
-            expect(getDeltaSize()).toBe(0);
         });
 
-        test("returns false for clean domains against vendored list", () => {
+        test("detects domain from vendored blacklist", () => {
-            expect(isPhishingDomain("google.com")).toBe(false);
+            // No delta loaded — vendored still works
-            expect(isPhishingDomain("github.com")).toBe(false);
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+        });
+
+        test("returns false for clean domains", () => {
+            expect(isPhishingDomain("etherscan.io")).toBe(false);
+            expect(isPhishingDomain("example.com")).toBe(false);
+        });
+
+        test("detects subdomain of blacklisted domain (vendored)", () => {
+            expect(isPhishingDomain("app.hopprotocol.pro")).toBe(true);
+        });
+
+        test("detects subdomain of blacklisted domain (delta)", () => {
+            loadConfig({
+                blacklist: ["delta-phish-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("sub.delta-phish-xyz.com")).toBe(true);
+        });
+
+        test("delta whitelist overrides vendored blacklist", () => {
+            // hopprotocol.pro is in the vendored blacklist
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            loadConfig({
+                blacklist: [],
+                whitelist: ["hopprotocol.pro"],
+            });
+            // Now whitelisted via delta — should not be flagged
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(false);
+        });
+
+        test("vendored whitelist overrides delta blacklist", () => {
+            loadConfig({
+                blacklist: ["opensea.pro"], // opensea.pro is vendored-whitelisted
+                whitelist: [],
+            });
+            expect(isPhishingDomain("opensea.pro")).toBe(false);
+        });
+
+        test("case-insensitive matching", () => {
+            loadConfig({
+                blacklist: ["Delta-Scam-XYZ.COM"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("delta-scam-xyz.com")).toBe(true);
+            expect(isPhishingDomain("DELTA-SCAM-XYZ.COM")).toBe(true);
         });
 
         test("returns false for empty/null hostname", () => {
             expect(isPhishingDomain("")).toBe(false);
             expect(isPhishingDomain(null)).toBe(false);
         });
-    });
-
-    describe("delta (loadConfig) + isPhishingDomain", () => {
-        test("detects domains loaded into delta via loadConfig", () => {
-            loadConfig({
-                blacklist: ["evil-phishing.com", "scam-swap.xyz"],
-                whitelist: [],
-            });
-            expect(isPhishingDomain("evil-phishing.com")).toBe(true);
-            expect(isPhishingDomain("scam-swap.xyz")).toBe(true);
-        });
-
-        test("detects subdomain of delta-blacklisted domain", () => {
-            loadConfig({
-                blacklist: ["evil-phishing.com"],
-                whitelist: [],
-            });
-            expect(isPhishingDomain("app.evil-phishing.com")).toBe(true);
-            expect(isPhishingDomain("sub.app.evil-phishing.com")).toBe(true);
-        });
-
-        test("delta whitelist overrides delta blacklist", () => {
-            loadConfig({
-                blacklist: ["metamask.io"],
-                whitelist: ["metamask.io"],
-            });
-            expect(isPhishingDomain("metamask.io")).toBe(false);
-        });
-
-        test("delta whitelist on parent domain overrides blacklist", () => {
-            loadConfig({
-                blacklist: ["sub.legit.com"],
-                whitelist: ["legit.com"],
-            });
-            expect(isPhishingDomain("sub.legit.com")).toBe(false);
-        });
-
-        test("case-insensitive matching in delta", () => {
-            loadConfig({
-                blacklist: ["Evil-Phishing.COM"],
-                whitelist: [],
-            });
-            expect(isPhishingDomain("evil-phishing.com")).toBe(true);
-            expect(isPhishingDomain("EVIL-PHISHING.COM")).toBe(true);
-        });
-
-        test("getDeltaSize reflects loaded delta", () => {
-            loadConfig({
-                blacklist: ["a.com", "b.com", "c.com"],
-                whitelist: ["d.com"],
-            });
-            expect(getDeltaSize()).toBe(3);
-        });
-
-        test("re-loading config replaces previous delta", () => {
-            loadConfig({
-                blacklist: ["old-scam.com"],
-                whitelist: [],
-            });
-            expect(isPhishingDomain("old-scam.com")).toBe(true);
-
-            loadConfig({
-                blacklist: ["new-scam.com"],
-                whitelist: [],
-            });
-            expect(isPhishingDomain("old-scam.com")).toBe(false);
-            expect(isPhishingDomain("new-scam.com")).toBe(true);
-        });
 
         test("handles config with no blacklist/whitelist keys", () => {
             loadConfig({});
             expect(getDeltaSize()).toBe(0);
+            // Vendored list still works
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
         });
     });
 
-    describe("real-world MetaMask blocklist patterns (via delta)", () => {
+    describe("localStorage persistence", () => {
-        test("detects known phishing domains loaded as delta", () => {
+        test("saveDeltaToStorage persists delta under 256KiB", () => {
             loadConfig({
-                blacklist: [
+                blacklist: ["persisted-scam-xyz.com"],
-                    "uniswap-trade.web.app",
+                whitelist: ["persisted-safe-xyz.com"],
-                    "hopprotocol.pro",
+            });
-                    "blast-pools.pages.dev",
+            const stored = localStorage.getItem("phishing-delta");
-                ],
+            expect(stored).not.toBeNull();
+            const data = JSON.parse(stored);
+            expect(data.blacklist).toContain("persisted-scam-xyz.com");
+            expect(data.whitelist).toContain("persisted-safe-xyz.com");
+        });
+
+        test("delta is cleared on _reset", () => {
+            loadConfig({
+                blacklist: ["temp-scam-xyz.com"],
                 whitelist: [],
             });
+            expect(getDeltaSize()).toBe(1);
+            _reset();
+            expect(getDeltaSize()).toBe(0);
+        });
+    });
+
+    describe("real-world blocklist patterns", () => {
+        test("detects known phishing domains from vendored list", () => {
             expect(isPhishingDomain("uniswap-trade.web.app")).toBe(true);
             expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
             expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
         });
 
-        test("delta whitelist overrides vendored blacklist entries", () => {
+        test("does not flag legitimate whitelisted domains", () => {
-            // If a domain is in the vendored blacklist but a fresh whitelist
-            // update adds it, the whitelist should win.
-            loadConfig({
-                blacklist: [],
-                whitelist: ["opensea.io", "metamask.io", "etherscan.io"],
-            });
             expect(isPhishingDomain("opensea.io")).toBe(false);
-            expect(isPhishingDomain("metamask.io")).toBe(false);
             expect(isPhishingDomain("etherscan.io")).toBe(false);
         });
     });
-
-    describe("delta + vendored interaction", () => {
-        test("delta blacklist entries are found even with empty vendored match", () => {
-            // This domain is (almost certainly) not in the vendored list
-            const uniqueDomain =
-                "test-unique-domain-not-in-vendored-" +
-                Date.now() +
-                ".example.com";
-            expect(isPhishingDomain(uniqueDomain)).toBe(false);
-
-            loadConfig({
-                blacklist: [uniqueDomain],
-                whitelist: [],
-            });
-            expect(isPhishingDomain(uniqueDomain)).toBe(true);
-        });
-
-        test("getBlocklistSize includes both vendored and delta", () => {
-            const baseSize = getBlocklistSize();
-            loadConfig({
-                blacklist: ["new-a.com", "new-b.com"],
-                whitelist: [],
-            });
-            expect(getBlocklistSize()).toBe(baseSize + 2);
-        });
-    });
 });