feat: show red warning when sending to address with zero tx history

On the confirm-tx screen, asynchronously check the recipient address
via Blockscout API. If the address has never sent or received any
transactions (normal or ERC-20), display a prominent red warning.

Fails open: network errors silently skip the warning to avoid
blocking legitimate sends.

Closes #82

src/popup/views/approval.js

@@ -172,6 +172,8 @@ function showTxApproval(details) {
     // If this is an ERC-20 call, try to extract the real recipient and amount
     const decoded = decodeCalldata(details.txParams.data, toAddr || "");
     if (decoded && decoded.details) {
+        let decodedTokenAddr = null;
+        let decodedTokenSymbol = null;
         for (const d of decoded.details) {
             if (d.label === "Recipient" && d.address) {
                 pendingTxDetails.to = d.address;
@@ -179,10 +181,20 @@ function showTxApproval(details) {
             if (d.label === "Amount") {
                 pendingTxDetails.amount = d.rawValue || d.value;
             }
+            if (d.label === "Token In" && d.isToken && d.address) {
+                const t = TOKEN_BY_ADDRESS.get(d.address.toLowerCase());
+                if (t) {
+                    decodedTokenAddr = d.address;
+                    decodedTokenSymbol = t.symbol;
+                }
+            }
         }
         if (token) {
             pendingTxDetails.token = toAddr;
             pendingTxDetails.tokenSymbol = token.symbol;
+        } else if (decodedTokenAddr) {
+            pendingTxDetails.token = decodedTokenAddr;
+            pendingTxDetails.tokenSymbol = decodedTokenSymbol;
         }
     }
 

src/popup/views/confirmTx.js

@@ -25,6 +25,7 @@ const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
 const { isScamAddress } = require("../../shared/scamlist");
+const { hasZeroTransactionHistory } = require("../../shared/transactions");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -244,6 +245,7 @@ function show(txInfo) {
     showView("confirm-tx");
 
     estimateGas(txInfo);
+    checkRecipientHistory(txInfo);
 }
 
 async function estimateGas(txInfo) {
@@ -286,6 +288,23 @@ async function estimateGas(txInfo) {
     }
 }
 
+async function checkRecipientHistory(txInfo) {
+    const isNew = await hasZeroTransactionHistory(
+        txInfo.to,
+        state.blockscoutUrl,
+    );
+    if (!isNew) return;
+
+    const warningsEl = $("confirm-warnings");
+    const warningHtml =
+        `<div class="border border-red-500 border-dashed p-2 mb-1 text-xs font-bold text-red-500">` +
+        `WARNING: This address has ZERO transaction history. ` +
+        `It has never sent or received any funds. ` +
+        `Double-check the address before sending.</div>`;
+    warningsEl.innerHTML = warningHtml + warningsEl.innerHTML;
+    warningsEl.classList.remove("hidden");
+}
+
 function init(ctx) {
     $("btn-confirm-send").addEventListener("click", async () => {
         const password = $("confirm-tx-password").value;

src/popup/views/txStatus.js

@@ -43,10 +43,11 @@ function toAddressHtml(address) {
     if (title) {
         return (
             `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>` +
-            `<div class="break-all">${escapeHtml(address)}${extLink}</div>`
+            `<div class="break-all underline decoration-dashed cursor-pointer" data-copy="${escapeHtml(address)}">${escapeHtml(address)}</div>` +
+            extLink
         );
     }
-    return `<div class="flex items-center">${dot}<span class="break-all">${escapeHtml(address)}</span>${extLink}</div>`;
+    return `<div class="flex items-center">${dot}<span class="break-all underline decoration-dashed cursor-pointer" data-copy="${escapeHtml(address)}">${escapeHtml(address)}</span>${extLink}</div>`;
 }
 
 function txHashHtml(hash) {
@@ -139,7 +140,7 @@ function etherscanTokenLink(address) {
 
 function decodedDetailsHtml(decoded) {
     if (!decoded || !decoded.details) return "";
-    let html = "";
+    let html = `<div class="border border-border border-dashed p-2 mb-3">`;
     if (decoded.name) {
         html += `<div class="mb-2"><div class="text-xs text-muted mb-1">Action</div>`;
         html += `<div class="font-bold">${escapeHtml(decoded.name)}</div></div>`;
@@ -164,20 +165,36 @@ function decodedDetailsHtml(decoded) {
         }
         html += `</div>`;
     }
+    html += `</div>`;
     return html;
 }
 
 function renderSuccess() {
     const d = state.viewData;
     if (!d || !d.hash) return;
+
+    const hasDecoded = d.decoded && d.decoded.details;
+
+    // When decoded details are present, the Amount and To are already
+    // shown inside the decoded well — hide the top-level duplicates.
+    const summarySection = $("success-tx-summary").parentElement;
+    const toSection = $("success-tx-to").parentElement;
+    if (hasDecoded) {
+        summarySection.classList.add("hidden");
+        toSection.classList.add("hidden");
+    } else {
+        summarySection.classList.remove("hidden");
+        toSection.classList.remove("hidden");
         $("success-tx-summary").textContent = d.amount + " " + d.symbol;
         $("success-tx-to").innerHTML = toAddressHtml(d.to);
+    }
+
     $("success-tx-block").textContent = String(d.blockNumber);
     $("success-tx-hash").innerHTML = txHashHtml(d.hash);
 
     // Show decoded calldata details if present
     const decodedEl = $("success-tx-decoded");
-    if (decodedEl && d.decoded) {
+    if (decodedEl && hasDecoded) {
         decodedEl.innerHTML = decodedDetailsHtml(d.decoded);
         decodedEl.classList.remove("hidden");
     } else if (decodedEl) {

src/shared/transactions.js

@@ -251,4 +251,40 @@ function filterTransactions(txs, filters = {}) {
     return { transactions: filtered, newFraudContracts: newFraud };
 }
 
-module.exports = { fetchRecentTransactions, filterTransactions };
+/**
+ * Check whether an address has any on-chain transaction history.
+ * Returns true if the address has zero normal transactions AND zero
+ * token transfers on the configured Blockscout instance.
+ * Returns false on network errors (fail-open: don't block sends).
+ */
+async function hasZeroTransactionHistory(address, blockscoutUrl) {
+    try {
+        const resp = await debugFetch(
+            blockscoutUrl + "/addresses/" + address + "/transactions?limit=1",
+        );
+        if (!resp.ok) return false;
+        const json = await resp.json();
+        if ((json.items || []).length > 0) return false;
+
+        // Also check token transfers — an address may have only received
+        // ERC-20 tokens without any native ETH transactions.
+        const ttResp = await debugFetch(
+            blockscoutUrl +
+                "/addresses/" +
+                address +
+                "/token-transfers?type=ERC-20&limit=1",
+        );
+        if (!ttResp.ok) return false;
+        const ttJson = await ttResp.json();
+        return (ttJson.items || []).length === 0;
+    } catch (e) {
+        log.errorf("hasZeroTransactionHistory check failed:", e.message);
+        return false;
+    }
+}
+
+module.exports = {
+    fetchRecentTransactions,
+    filterTransactions,
+    hasZeroTransactionHistory,
+};

src/shared/uniswap.js

@@ -445,12 +445,18 @@ function decode(data, toAddress) {
             const maxUint160 = BigInt(
                 "0xffffffffffffffffffffffffffffffffffffffff",
             );
-            const amountStr =
+            const isUnlimited = inputAmount >= maxUint160;
-                inputAmount >= maxUint160
+            const amountRaw = isUnlimited
                 ? "Unlimited"
-                    : formatAmount(inputAmount, inInfo.decimals) +
+                : formatAmount(inputAmount, inInfo.decimals);
-                      (inSymbol ? " " + inSymbol : "");
+            const amountStr = isUnlimited
-            details.push({ label: "Amount", value: amountStr });
+                ? "Unlimited"
+                : amountRaw + (inSymbol ? " " + inSymbol : "");
+            details.push({
+                label: "Amount",
+                value: amountStr,
+                rawValue: amountRaw,
+            });
         }
 
         if (outSymbol) {