feat: show red warning when sending to address with zero tx history

On the confirm-tx screen, asynchronously check the recipient address
via Blockscout API. If the address has never sent or received any
transactions (normal or ERC-20), display a prominent red warning.

Fails open: network errors silently skip the warning to avoid
blocking legitimate sends.

Closes #82

src/popup/index.html

@@ -577,19 +577,6 @@
                     <div id="confirm-fee-amount" class="text-xs"></div>
                 </div>
                 <div id="confirm-warnings" class="mb-2 hidden"></div>
-                <div
-                    id="confirm-recipient-warning"
-                    class="mb-2"
-                    style="visibility: hidden"
-                >
-                    <div
-                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
-                    >
-                        WARNING: The recipient address has ZERO transaction
-                        history. This may indicate a fresh or unused address.
-                        Double-check the address before sending.
-                    </div>
-                </div>
                 <div
                     id="confirm-errors"
                     class="mb-2 border border-border border-dashed p-2 hidden"

src/popup/views/confirmTx.js

@@ -25,6 +25,7 @@ const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
 const { isScamAddress } = require("../../shared/scamlist");
+const { hasZeroTransactionHistory } = require("../../shared/transactions");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -243,12 +244,6 @@ function show(txInfo) {
     state.viewData = { pendingTx: txInfo };
     showView("confirm-tx");
 
-    // Reset recipient warning: reserve space (visibility:hidden) while
-    // the async check runs, preventing layout shift per README policy.
-    const recipientWarning = $("confirm-recipient-warning");
-    recipientWarning.style.display = "";
-    recipientWarning.style.visibility = "hidden";
-
     estimateGas(txInfo);
     checkRecipientHistory(txInfo);
 }
@@ -294,31 +289,20 @@ async function estimateGas(txInfo) {
 }
 
 async function checkRecipientHistory(txInfo) {
-    const el = $("confirm-recipient-warning");
-    try {
-        const provider = getProvider(state.rpcUrl);
-        // Skip warning for contract addresses — they may legitimately
-        // have zero outgoing transactions (getTransactionCount returns
-        // the nonce, i.e. sent-tx count only).
-        const code = await provider.getCode(txInfo.to);
-        if (code && code !== "0x") {
-            // Contract address — hide the reserved space entirely
-            el.style.display = "none";
-            return;
-        }
-        const txCount = await provider.getTransactionCount(txInfo.to);
-        if (txCount === 0) {
-            el.style.visibility = "visible";
-        } else {
-            // Address has history — collapse the reserved space
-            el.style.display = "none";
-        }
-    } catch (e) {
-        log.errorf("recipient history check failed:", e.message);
-        // On error, collapse the reserved space rather than showing a
-        // false warning or leaving an empty gap
-        el.style.display = "none";
-    }
+    const isNew = await hasZeroTransactionHistory(
+        txInfo.to,
+        state.blockscoutUrl,
+    );
+    if (!isNew) return;
+
+    const warningsEl = $("confirm-warnings");
+    const warningHtml =
+        `<div class="border border-red-500 border-dashed p-2 mb-1 text-xs font-bold text-red-500">` +
+        `WARNING: This address has ZERO transaction history. ` +
+        `It has never sent or received any funds. ` +
+        `Double-check the address before sending.</div>`;
+    warningsEl.innerHTML = warningHtml + warningsEl.innerHTML;
+    warningsEl.classList.remove("hidden");
 }
 
 function init(ctx) {

src/shared/transactions.js

@@ -251,4 +251,40 @@ function filterTransactions(txs, filters = {}) {
     return { transactions: filtered, newFraudContracts: newFraud };
 }
 
-module.exports = { fetchRecentTransactions, filterTransactions };
+/**
+ * Check whether an address has any on-chain transaction history.
+ * Returns true if the address has zero normal transactions AND zero
+ * token transfers on the configured Blockscout instance.
+ * Returns false on network errors (fail-open: don't block sends).
+ */
+async function hasZeroTransactionHistory(address, blockscoutUrl) {
+    try {
+        const resp = await debugFetch(
+            blockscoutUrl + "/addresses/" + address + "/transactions?limit=1",
+        );
+        if (!resp.ok) return false;
+        const json = await resp.json();
+        if ((json.items || []).length > 0) return false;
+
+        // Also check token transfers — an address may have only received
+        // ERC-20 tokens without any native ETH transactions.
+        const ttResp = await debugFetch(
+            blockscoutUrl +
+                "/addresses/" +
+                address +
+                "/token-transfers?type=ERC-20&limit=1",
+        );
+        if (!ttResp.ok) return false;
+        const ttJson = await ttResp.json();
+        return (ttJson.items || []).length === 0;
+    } catch (e) {
+        log.errorf("hasZeroTransactionHistory check failed:", e.message);
+        return false;
+    }
+}
+
+module.exports = {
+    fetchRecentTransactions,
+    filterTransactions,
+    hasZeroTransactionHistory,
+};