feat: show red warning when sending to address with zero tx history

On the confirm-tx screen, asynchronously check the recipient address
via Blockscout API. If the address has never sent or received any
transactions (normal or ERC-20), display a prominent red warning.

Fails open: network errors silently skip the warning to avoid
blocking legitimate sends.

Closes #82

src/popup/index.html

@@ -577,19 +577,6 @@
                     <div id="confirm-fee-amount" class="text-xs"></div>
                 </div>
                 <div id="confirm-warnings" class="mb-2 hidden"></div>
-                <div
-                    id="confirm-recipient-warning"
-                    class="mb-2"
-                    style="visibility: hidden"
-                >
-                    <div
-                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
-                    >
-                        WARNING: The recipient address has ZERO transaction
-                        history. This may indicate a fresh or unused address.
-                        Double-check the address before sending.
-                    </div>
-                </div>
                 <div
                     id="confirm-errors"
                     class="mb-2 border border-border border-dashed p-2 hidden"

src/popup/views/confirmTx.js

@@ -25,6 +25,7 @@ const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
 const { isScamAddress } = require("../../shared/scamlist");
+const { hasZeroTransactionHistory } = require("../../shared/transactions");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -243,11 +244,6 @@ function show(txInfo) {
     state.viewData = { pendingTx: txInfo };
     showView("confirm-tx");
 
-    // Reset recipient warning: reserve space (visibility:hidden) while
-    // the async check runs, preventing layout shift per README policy.
-    const recipientWarning = $("confirm-recipient-warning");
-    recipientWarning.style.visibility = "hidden";
-
     estimateGas(txInfo);
     checkRecipientHistory(txInfo);
 }
@@ -293,27 +289,20 @@ async function estimateGas(txInfo) {
 }
 
 async function checkRecipientHistory(txInfo) {
-    const el = $("confirm-recipient-warning");
+    const isNew = await hasZeroTransactionHistory(
-    try {
+        txInfo.to,
-        const provider = getProvider(state.rpcUrl);
+        state.blockscoutUrl,
-        // Skip warning for contract addresses — they may legitimately
+    );
-        // have zero outgoing transactions (getTransactionCount returns
+    if (!isNew) return;
-        // the nonce, i.e. sent-tx count only).
+
-        const code = await provider.getCode(txInfo.to);
+    const warningsEl = $("confirm-warnings");
-        if (code && code !== "0x") {
+    const warningHtml =
-            // Contract address — no warning needed, keep space reserved
+        `<div class="border border-red-500 border-dashed p-2 mb-1 text-xs font-bold text-red-500">` +
-            // but invisible to prevent layout shift
+        `WARNING: This address has ZERO transaction history. ` +
-            return;
+        `It has never sent or received any funds. ` +
-        }
+        `Double-check the address before sending.</div>`;
-        const txCount = await provider.getTransactionCount(txInfo.to);
+    warningsEl.innerHTML = warningHtml + warningsEl.innerHTML;
-        if (txCount === 0) {
+    warningsEl.classList.remove("hidden");
-            el.style.visibility = "visible";
-        }
-        // If txCount > 0, leave visibility:hidden — space stays reserved
-    } catch (e) {
-        log.errorf("recipient history check failed:", e.message);
-        // On error, leave visibility:hidden — no layout shift, no false warning
-    }
 }
 
 function init(ctx) {

src/popup/views/transactionDetail.js

@@ -158,9 +158,8 @@ function render() {
         loadCalldata(tx.hash, tx.to);
     }
 
-    const isoStr = isoDate(tx.timestamp);
+    $("tx-detail-time").textContent =
-    $("tx-detail-time").innerHTML =
+        isoDate(tx.timestamp) + " (" + timeAgo(tx.timestamp) + ")";
-        copyableHtml(isoStr) + " (" + escapeHtml(timeAgo(tx.timestamp)) + ")";
     $("tx-detail-status").textContent = tx.isError ? "Failed" : "Success";
     showView("transaction");
 

src/popup/views/txStatus.js

@@ -59,16 +59,6 @@ function txHashHtml(hash) {
     );
 }
 
-function blockNumberHtml(blockNumber) {
-    const num = String(blockNumber);
-    const link = `https://etherscan.io/block/${num}`;
-    const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
-    return (
-        `<span class="underline decoration-dashed cursor-pointer" data-copy="${escapeHtml(num)}">${escapeHtml(num)}</span>` +
-        extLink
-    );
-}
-
 function attachCopyHandlers(viewId) {
     document
         .getElementById(viewId)
@@ -199,7 +189,7 @@ function renderSuccess() {
         $("success-tx-to").innerHTML = toAddressHtml(d.to);
     }
 
-    $("success-tx-block").innerHTML = blockNumberHtml(d.blockNumber);
+    $("success-tx-block").textContent = String(d.blockNumber);
     $("success-tx-hash").innerHTML = txHashHtml(d.hash);
 
     // Show decoded calldata details if present

src/shared/transactions.js

@@ -251,4 +251,40 @@ function filterTransactions(txs, filters = {}) {
     return { transactions: filtered, newFraudContracts: newFraud };
 }
 
-module.exports = { fetchRecentTransactions, filterTransactions };
+/**
+ * Check whether an address has any on-chain transaction history.
+ * Returns true if the address has zero normal transactions AND zero
+ * token transfers on the configured Blockscout instance.
+ * Returns false on network errors (fail-open: don't block sends).
+ */
+async function hasZeroTransactionHistory(address, blockscoutUrl) {
+    try {
+        const resp = await debugFetch(
+            blockscoutUrl + "/addresses/" + address + "/transactions?limit=1",
+        );
+        if (!resp.ok) return false;
+        const json = await resp.json();
+        if ((json.items || []).length > 0) return false;
+
+        // Also check token transfers — an address may have only received
+        // ERC-20 tokens without any native ETH transactions.
+        const ttResp = await debugFetch(
+            blockscoutUrl +
+                "/addresses/" +
+                address +
+                "/token-transfers?type=ERC-20&limit=1",
+        );
+        if (!ttResp.ok) return false;
+        const ttJson = await ttResp.json();
+        return (ttJson.items || []).length === 0;
+    } catch (e) {
+        log.errorf("hasZeroTransactionHistory check failed:", e.message);
+        return false;
+    }
+}
+
+module.exports = {
+    fetchRecentTransactions,
+    filterTransactions,
+    hasZeroTransactionHistory,
+};