refactor: vendor phishing blocklist, delta-only memory model

- Vendor community-maintained phishing domain blocklist into
  src/shared/phishingBlocklist.json (bundled at build time by esbuild)
- Refactor phishingDomains.js: build vendored Sets at module load,
  fetch live list periodically, keep only delta (new entries not in
  vendored) in memory for small runtime footprint
- Domain checker checks delta first (fresh scam sites), then vendored
- Persist delta to localStorage if under 256 KiB
- Load delta from localStorage on startup for instant coverage
- Add startPeriodicRefresh() with 24h setInterval in background script
- Remove dead code: popup's local isPhishingDomain() re-check was inert
  (popup never called updatePhishingList so its blacklistSet was always
  empty); now relies solely on background's authoritative flag
- Remove all competitor name mentions from UI warning text and comments
- Update README: document phishing domain protection architecture,
  update external services list
- Update tests: cover vendored blocklist loading, delta computation,
  localStorage persistence, delta+vendored interaction

Closes #114

README.md

@@ -15,10 +15,12 @@ Hence, a minimally viable ERC20 browser wallet/signer that works cross-platform.
 Everything you need, nothing you don't. We import as few libraries as possible,
 don't implement any crypto, and don't send user-specific data anywhere but a
 (user-configurable) Ethereum RPC endpoint (which defaults to a public node). The
-extension contacts exactly three external services: the configured RPC node for
+extension contacts three user-configurable services: the configured RPC node for
 blockchain interactions, a public CoinDesk API (no API key) for realtime price
 information, and a Blockscout block-explorer API for transaction history and
-token balances. All three endpoints are user-configurable.
+token balances. It also fetches a community-maintained phishing domain blocklist
+periodically and performs best-effort Etherscan address label lookups during
+transaction confirmation.
 
 In the extension is a hardcoded list of the top ERC20 contract addresses. You
 can add any ERC20 contract by contract address if you wish, but the hardcoded
@@ -576,14 +578,25 @@ What the extension does NOT do:
 
 - No analytics or telemetry services
 - No token list APIs (user adds tokens manually by contract address)
-- No phishing/blocklist APIs
 - No Infura/Alchemy dependency (any JSON-RPC endpoint works)
 - No backend servers operated by the developer
 
-These three services (RPC endpoint, CoinDesk price API, and Blockscout API) are
-the only external services. All three endpoints are user-configurable. Users who
-want maximum privacy can point the RPC and Blockscout URLs at their own
-self-hosted instances (price fetching can be disabled in a future version).
+In addition to the three user-configurable services above (RPC endpoint,
+CoinDesk price API, and Blockscout API), AutistMask also contacts:
+
+- **Phishing domain blocklist**: A community-maintained phishing domain
+  blocklist is vendored into the extension at build time. At runtime, the
+  extension fetches the live list once every 24 hours to detect newly added
+  domains. Only the delta (domains not already in the vendored list) is kept in
+  memory, keeping runtime memory usage small. The delta is persisted to
+  localStorage if it is under 256 KiB.
+- **Etherscan address labels**: When confirming a transaction, the extension
+  performs a best-effort lookup of the recipient address on Etherscan to check
+  for phishing/scam labels. This is a direct page fetch with no API key; the
+  user's browser makes the request.
+
+Users who want maximum privacy can point the RPC and Blockscout URLs at their
+own self-hosted instances (price fetching can be disabled in a future version).
 
 ### Dependencies
 
@@ -773,6 +786,22 @@ indexes it as a real token transfer.
   designed as a sharp tool — users who understand the risks can configure the
   wallet to show everything unfiltered, unix-style.
 
+#### Phishing Domain Protection
+
+AutistMask protects users from known phishing sites when they connect their
+wallet or approve transactions/signatures. A community-maintained domain
+blocklist is vendored into the extension at build time, providing immediate
+protection without any network requests. At runtime, the extension fetches the
+live list once every 24 hours and keeps only the delta (newly added domains not
+in the vendored list) in memory. This architecture keeps runtime memory usage
+small while ensuring fresh coverage of new phishing domains.
+
+When a dApp on a blocklisted domain requests a wallet connection, transaction
+approval, or signature, the approval popup displays a prominent red warning
+banner alerting the user. The domain checker matches exact hostnames and all
+parent domains (subdomain matching), with whitelist overrides for legitimate
+sites that share a parent domain with a blocklisted entry.
+
 #### Transaction Decoding
 
 When a dApp asks the user to approve a transaction, AutistMask attempts to

src/background/index.js

@@ -12,6 +12,11 @@ const { refreshBalances, getProvider } = require("../shared/balances");
 const { debugFetch } = require("../shared/log");
 const { decryptWithPassword } = require("../shared/vault");
 const { getSignerForAddress } = require("../shared/wallet");
+const {
+    isPhishingDomain,
+    updatePhishingList,
+    startPeriodicRefresh,
+} = require("../shared/phishingDomains");
 
 const storageApi =
     typeof browser !== "undefined"
@@ -571,6 +576,11 @@ async function backgroundRefresh() {
 
 setInterval(backgroundRefresh, BACKGROUND_REFRESH_INTERVAL);
 
+// Fetch the phishing domain blocklist delta on startup and refresh every 24h.
+// The vendored blocklist is bundled at build time; this fetches only new entries.
+updatePhishingList();
+startPeriodicRefresh();
+
 // When approval window is closed without a response, treat as rejection
 if (windowsApi && windowsApi.onRemoved) {
     windowsApi.onRemoved.addListener((windowId) => {
@@ -643,6 +653,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                 resp.type = "sign";
                 resp.signParams = approval.signParams;
             }
+            // Flag if the requesting domain is on the phishing blocklist.
+            resp.isPhishingDomain = isPhishingDomain(approval.hostname);
             sendResponse(resp);
         } else {
             sendResponse(null);

src/popup/index.html

@@ -605,6 +605,43 @@
                         Double-check the address before sending.
                     </div>
                 </div>
+                <div
+                    id="confirm-contract-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: The recipient is a smart contract. Sending ETH
+                        or tokens directly to a contract may result in permanent
+                        loss of funds.
+                    </div>
+                </div>
+                <div
+                    id="confirm-burn-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: This is a known null/burn address. Funds sent
+                        here are permanently destroyed and cannot be recovered.
+                    </div>
+                </div>
+                <div
+                    id="confirm-etherscan-warning"
+                    class="mb-2"
+                    style="visibility: hidden"
+                >
+                    <div
+                        class="border border-red-500 border-dashed p-2 text-xs font-bold text-red-500"
+                    >
+                        WARNING: Etherscan has flagged this address as
+                        phishing/scam. Do not send funds to this address.
+                    </div>
+                </div>
                 <div
                     id="confirm-errors"
                     class="mb-2 border border-border border-dashed p-2"
@@ -1064,140 +1101,101 @@
                 <h2 id="tx-detail-heading" class="font-bold mb-2">
                     Transaction
                 </h2>
-
-                <!-- ── Identity ── -->
-                <div class="tx-detail-group mb-1">
-                    <div class="mb-3">
-                        <div class="text-xs text-muted mb-1">
-                            Transaction hash
-                        </div>
-                        <div
-                            id="tx-detail-hash"
-                            class="text-xs break-all"
-                        ></div>
-                    </div>
-                    <div id="tx-detail-type-section" class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">Type</div>
-                        <div
-                            id="tx-detail-type"
-                            class="text-xs font-bold"
-                        ></div>
-                    </div>
-                    <div class="mb-3">
-                        <div class="text-xs text-muted mb-1">Status</div>
-                        <div id="tx-detail-status" class="text-xs"></div>
-                    </div>
-                    <div class="mb-1">
-                        <div class="text-xs text-muted mb-1">Time</div>
-                        <div id="tx-detail-time" class="text-xs"></div>
-                    </div>
+                <div id="tx-detail-type-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Type</div>
+                    <div id="tx-detail-type" class="text-xs font-bold"></div>
                 </div>
-
-                <!-- ── Value ── -->
-                <div class="tx-detail-group mb-1">
-                    <div class="mb-3">
-                        <div class="text-xs text-muted mb-1">Amount</div>
-                        <div id="tx-detail-value" class="text-xs"></div>
-                    </div>
-                    <div class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">
-                            Native quantity
-                        </div>
-                        <div id="tx-detail-native" class="text-xs"></div>
-                    </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">Status</div>
+                    <div id="tx-detail-status" class="text-xs"></div>
+                </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">Time</div>
+                    <div id="tx-detail-time" class="text-xs"></div>
+                </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">Amount</div>
+                    <div id="tx-detail-value" class="text-xs"></div>
+                </div>
+                <div class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Native quantity</div>
+                    <div id="tx-detail-native" class="text-xs"></div>
+                </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">From</div>
+                    <div id="tx-detail-from" class="text-xs break-all"></div>
+                </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">To</div>
+                    <div id="tx-detail-to" class="text-xs break-all"></div>
+                </div>
+                <div id="tx-detail-token-contract-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Token contract</div>
                     <div
-                        id="tx-detail-token-contract-section"
-                        class="mb-1 hidden"
+                        id="tx-detail-token-contract"
+                        class="text-xs break-all"
+                    ></div>
+                </div>
+                <div id="tx-detail-calldata-section" class="mb-4 hidden">
+                    <div
+                        id="tx-detail-calldata-well"
+                        class="mb-3 border border-border border-dashed p-2"
                     >
-                        <div class="text-xs text-muted mb-1">
-                            Token contract
-                        </div>
+                        <div class="text-xs text-muted mb-1">Action</div>
                         <div
-                            id="tx-detail-token-contract"
-                            class="text-xs break-all"
+                            id="tx-detail-calldata-action"
+                            class="text-xs font-bold mb-2"
+                        ></div>
+                        <div
+                            id="tx-detail-calldata-details"
+                            class="text-xs"
                         ></div>
                     </div>
                 </div>
-
-                <!-- ── Parties ── -->
-                <div class="tx-detail-group mb-1">
-                    <div class="mb-3">
-                        <div class="text-xs text-muted mb-1">From</div>
-                        <div
-                            id="tx-detail-from"
-                            class="text-xs break-all"
-                        ></div>
-                    </div>
-                    <div class="mb-1">
-                        <div class="text-xs text-muted mb-1">To</div>
-                        <div id="tx-detail-to" class="text-xs break-all"></div>
-                    </div>
+                <div class="mb-4">
+                    <div class="text-xs text-muted mb-1">Transaction hash</div>
+                    <div id="tx-detail-hash" class="text-xs break-all"></div>
                 </div>
-
-                <!-- ── Protocol ── -->
-                <div id="tx-detail-calldata-section" class="mb-1 hidden">
-                    <div class="tx-detail-group mb-1">
-                        <div
-                            id="tx-detail-calldata-well"
-                            class="border border-border border-dashed p-2"
-                        >
-                            <div class="text-xs text-muted mb-1">Action</div>
-                            <div
-                                id="tx-detail-calldata-action"
-                                class="text-xs font-bold mb-2"
-                            ></div>
-                            <div
-                                id="tx-detail-calldata-details"
-                                class="text-xs"
-                            ></div>
-                        </div>
-                    </div>
+                <div id="tx-detail-block-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Block</div>
+                    <div id="tx-detail-block" class="text-xs"></div>
                 </div>
-
-                <!-- ── On-chain details ── -->
-                <div
-                    id="tx-detail-onchain-group"
-                    class="tx-detail-group mb-1 hidden"
-                >
-                    <div id="tx-detail-block-section" class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">Block</div>
-                        <div id="tx-detail-block" class="text-xs"></div>
-                    </div>
-                    <div id="tx-detail-nonce-section" class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">Nonce</div>
-                        <div id="tx-detail-nonce" class="text-xs"></div>
-                    </div>
-                    <div id="tx-detail-fee-section" class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">
-                            Transaction fee
-                        </div>
-                        <div id="tx-detail-fee" class="text-xs"></div>
-                    </div>
-                    <div id="tx-detail-gasprice-section" class="mb-3 hidden">
-                        <div class="text-xs text-muted mb-1">Gas price</div>
-                        <div id="tx-detail-gasprice" class="text-xs"></div>
-                    </div>
-                    <div id="tx-detail-gasused-section" class="mb-1 hidden">
-                        <div class="text-xs text-muted mb-1">Gas used</div>
-                        <div id="tx-detail-gasused" class="text-xs"></div>
-                    </div>
+                <div id="tx-detail-nonce-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Nonce</div>
+                    <div id="tx-detail-nonce" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-fee-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Transaction fee</div>
+                    <div id="tx-detail-fee" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-gasprice-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Gas price</div>
+                    <div id="tx-detail-gasprice" class="text-xs"></div>
+                </div>
+                <div id="tx-detail-gasused-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Gas used</div>
+                    <div id="tx-detail-gasused" class="text-xs"></div>
                 </div>
-
-                <!-- ── Raw data ── -->
                 <div id="tx-detail-rawdata-section" class="mb-4 hidden">
-                    <div class="tx-detail-group">
-                        <div class="text-xs text-muted mb-1">Raw data</div>
-                        <div
-                            id="tx-detail-rawdata"
-                            class="text-xs break-all font-mono border border-border border-dashed p-2"
-                        ></div>
-                    </div>
+                    <div class="text-xs text-muted mb-1">Raw data</div>
+                    <div
+                        id="tx-detail-rawdata"
+                        class="text-xs break-all font-mono border border-border border-dashed p-2"
+                    ></div>
                 </div>
             </div>
 
             <!-- ============ TRANSACTION APPROVAL ============ -->
             <div id="view-approve-tx" class="view hidden">
                 <h2 class="font-bold mb-2">Transaction Request</h2>
+                <div
+                    id="approve-tx-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. This transaction may steal your funds. Proceed
+                    with extreme caution.
+                </div>
                 <p class="mb-2">
                     <span id="approve-tx-hostname" class="font-bold"></span>
                     wants to send a transaction.
@@ -1264,6 +1262,14 @@
             <!-- ============ SIGNATURE APPROVAL ============ -->
             <div id="view-approve-sign" class="view hidden">
                 <h2 class="font-bold mb-2">Signature Request</h2>
+                <div
+                    id="approve-sign-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. Signing this message may authorize theft of your
+                    funds. Proceed with extreme caution.
+                </div>
                 <p class="mb-2">
                     <span id="approve-sign-hostname" class="font-bold"></span>
                     wants you to sign a message.
@@ -1333,6 +1339,14 @@
             <!-- ============ SITE APPROVAL ============ -->
             <div id="view-approve-site" class="view hidden">
                 <h2 class="font-bold mb-2">Connection Request</h2>
+                <div
+                    id="approve-site-phishing-warning"
+                    class="mb-3 p-2 text-xs font-bold hidden bg-red-100 text-red-800 border-2 border-red-600 rounded-md"
+                >
+                    ⚠️ PHISHING WARNING: This site is on a known phishing
+                    blocklist. Connecting your wallet may result in loss of
+                    funds. Proceed with extreme caution.
+                </div>
                 <div class="mb-3">
                     <p class="mb-2">
                         <span id="approve-hostname" class="font-bold"></span>

src/popup/styles/main.css

@@ -44,11 +44,3 @@ body {
         background-color 225ms ease-out,
         color 225ms ease-out;
 }
-
-/* Transaction detail view — visual grouping of related fields */
-.tx-detail-group {
-    border-bottom: 1px solid var(--color-border-light);
-    padding-bottom: 0.5rem;
-    margin-bottom: 0.5rem;
-    padding-top: 0.25rem;
-}

src/popup/views/approval.js

@@ -13,7 +13,6 @@ const { ERC20_ABI } = require("../../shared/constants");
 const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const txStatus = require("./txStatus");
 const uniswap = require("../../shared/uniswap");
-
 const runtime =
     typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
 
@@ -155,7 +154,24 @@ function decodeCalldata(data, toAddress) {
     return null;
 }
 
+function showPhishingWarning(elementId, isPhishing) {
+    const el = $(elementId);
+    if (!el) return;
+    // The background script performs the authoritative phishing domain check
+    // and passes the result via the isPhishingDomain flag.
+    if (isPhishing) {
+        el.classList.remove("hidden");
+    } else {
+        el.classList.add("hidden");
+    }
+}
+
 function showTxApproval(details) {
+    showPhishingWarning(
+        "approve-tx-phishing-warning",
+        details.isPhishingDomain,
+    );
+
     const toAddr = details.txParams.to;
     const token = toAddr ? TOKEN_BY_ADDRESS.get(toAddr.toLowerCase()) : null;
     const ethValue = formatEther(details.txParams.value || "0");
@@ -323,6 +339,11 @@ function formatTypedDataHtml(jsonStr) {
 }
 
 function showSignApproval(details) {
+    showPhishingWarning(
+        "approve-sign-phishing-warning",
+        details.isPhishingDomain,
+    );
+
     const sp = details.signParams;
 
     $("approve-sign-hostname").textContent = details.hostname;
@@ -382,6 +403,11 @@ function show(id) {
             showSignApproval(details);
             return;
         }
+        // Site connection approval
+        showPhishingWarning(
+            "approve-site-phishing-warning",
+            details.isPhishingDomain,
+        );
         $("approve-hostname").textContent = details.hostname;
         $("approve-address").innerHTML = approvalAddressHtml(
             state.activeAddress,

src/popup/views/confirmTx.js

@@ -25,8 +25,11 @@ const { getSignerForAddress } = require("../../shared/wallet");
 const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
-const { isScamAddress } = require("../../shared/scamlist");
-const { ERC20_ABI } = require("../../shared/constants");
+const {
+    getLocalWarnings,
+    getFullWarnings,
+} = require("../../shared/addressWarnings");
+const { ERC20_ABI, isBurnAddress } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
 const txStatus = require("./txStatus");
@@ -167,23 +170,17 @@ function show(txInfo) {
         $("confirm-balance").textContent = valueWithUsd(bal + " ETH", balUsd);
     }
 
-    // Check for warnings
-    const warnings = [];
-    if (isScamAddress(txInfo.to)) {
-        warnings.push(
-            "This address is on a known scam/fraud list. Do not send funds to this address.",
-        );
-    }
-    if (txInfo.to.toLowerCase() === txInfo.from.toLowerCase()) {
-        warnings.push("You are sending to your own address.");
-    }
+    // Check for warnings (synchronous local checks)
+    const localWarnings = getLocalWarnings(txInfo.to, {
+        fromAddress: txInfo.from,
+    });
 
     const warningsEl = $("confirm-warnings");
-    if (warnings.length > 0) {
-        warningsEl.innerHTML = warnings
+    if (localWarnings.length > 0) {
+        warningsEl.innerHTML = localWarnings
             .map(
                 (w) =>
-                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w}</div>`,
+                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w.message}</div>`,
             )
             .join("");
         warningsEl.style.visibility = "visible";
@@ -247,8 +244,16 @@ function show(txInfo) {
     state.viewData = { pendingTx: txInfo };
     showView("confirm-tx");
 
-    // Reset recipient warning to hidden (space always reserved, no layout shift)
+    // Reset async warnings to hidden (space always reserved, no layout shift)
     $("confirm-recipient-warning").style.visibility = "hidden";
+    $("confirm-contract-warning").style.visibility = "hidden";
+    $("confirm-burn-warning").style.visibility = "hidden";
+    $("confirm-etherscan-warning").style.visibility = "hidden";
+
+    // Show burn warning via reserved element (in addition to inline warning)
+    if (isBurnAddress(txInfo.to)) {
+        $("confirm-burn-warning").style.visibility = "visible";
+    }
 
     estimateGas(txInfo);
     checkRecipientHistory(txInfo);
@@ -295,19 +300,21 @@ async function estimateGas(txInfo) {
 }
 
 async function checkRecipientHistory(txInfo) {
-    const el = $("confirm-recipient-warning");
     try {
         const provider = getProvider(state.rpcUrl);
-        // Skip warning for contract addresses — they may legitimately
-        // have zero outgoing transactions (getTransactionCount returns
-        // the nonce, i.e. sent-tx count only).
-        const code = await provider.getCode(txInfo.to);
-        if (code && code !== "0x") {
-            return;
-        }
-        const txCount = await provider.getTransactionCount(txInfo.to);
-        if (txCount === 0) {
-            el.style.visibility = "visible";
+        const asyncWarnings = await getFullWarnings(txInfo.to, provider, {
+            fromAddress: txInfo.from,
+        });
+        for (const w of asyncWarnings) {
+            if (w.type === "contract") {
+                $("confirm-contract-warning").style.visibility = "visible";
+            }
+            if (w.type === "new-address") {
+                $("confirm-recipient-warning").style.visibility = "visible";
+            }
+            if (w.type === "etherscan-phishing") {
+                $("confirm-etherscan-warning").style.visibility = "visible";
+            }
         }
     } catch (e) {
         log.errorf("recipient history check failed:", e.message);

src/popup/views/transactionDetail.js

@@ -190,9 +190,7 @@ function render() {
     const rawDataSection = $("tx-detail-rawdata-section");
     if (rawDataSection) rawDataSection.classList.add("hidden");
 
-    // Hide on-chain detail sections (and their group wrapper) until populated
-    const onchainGroup = $("tx-detail-onchain-group");
-    if (onchainGroup) onchainGroup.classList.add("hidden");
+    // Hide on-chain detail sections until populated
     for (const id of [
         "tx-detail-block-section",
         "tx-detail-nonce-section",
@@ -287,24 +285,6 @@ function populateOnChainDetails(txData) {
         );
     }
 
-    // Show the on-chain details group if any child section is visible
-    const onchainGroup = $("tx-detail-onchain-group");
-    if (onchainGroup) {
-        const hasVisible = [
-            "tx-detail-block-section",
-            "tx-detail-nonce-section",
-            "tx-detail-fee-section",
-            "tx-detail-gasprice-section",
-            "tx-detail-gasused-section",
-        ].some((id) => {
-            const el = $(id);
-            return el && !el.classList.contains("hidden");
-        });
-        if (hasVisible) {
-            onchainGroup.classList.remove("hidden");
-        }
-    }
-
     // Bind copy handlers for newly added elements
     for (const id of [
         "tx-detail-block-section",

src/shared/addressWarnings.js

@@ -0,0 +1,114 @@
+// Address warning module.
+// Provides local and async (RPC-based) warning checks for Ethereum addresses.
+// Returns arrays of {type, message, severity} objects.
+
+const { isScamAddress } = require("./scamlist");
+const { isBurnAddress } = require("./constants");
+const { checkEtherscanLabel } = require("./etherscanLabels");
+const { log } = require("./log");
+
+/**
+ * Check an address against local-only lists (scam, burn, self-send).
+ * Synchronous — no network calls.
+ *
+ * @param {string} address - The target address to check.
+ * @param {object} [options] - Optional context.
+ * @param {string} [options.fromAddress] - Sender address (for self-send check).
+ * @returns {Array<{type: string, message: string, severity: string}>}
+ */
+function getLocalWarnings(address, options = {}) {
+    const warnings = [];
+    const addr = address.toLowerCase();
+
+    if (isScamAddress(addr)) {
+        warnings.push({
+            type: "scam",
+            message:
+                "This address is on a known scam/fraud list. Do not send funds to this address.",
+            severity: "critical",
+        });
+    }
+
+    if (isBurnAddress(addr)) {
+        warnings.push({
+            type: "burn",
+            message:
+                "This is a known null/burn address. Funds sent here are permanently destroyed and cannot be recovered.",
+            severity: "critical",
+        });
+    }
+
+    if (options.fromAddress && addr === options.fromAddress.toLowerCase()) {
+        warnings.push({
+            type: "self-send",
+            message: "You are sending to your own address.",
+            severity: "warning",
+        });
+    }
+
+    return warnings;
+}
+
+/**
+ * Check an address against local lists AND via RPC queries.
+ * Async — performs network calls to check contract status and tx history.
+ *
+ * @param {string} address - The target address to check.
+ * @param {object} provider - An ethers.js provider instance.
+ * @param {object} [options] - Optional context.
+ * @param {string} [options.fromAddress] - Sender address (for self-send check).
+ * @returns {Promise<Array<{type: string, message: string, severity: string}>>}
+ */
+async function getFullWarnings(address, provider, options = {}) {
+    const warnings = getLocalWarnings(address, options);
+
+    let isContract = false;
+    try {
+        const code = await provider.getCode(address);
+        if (code && code !== "0x") {
+            isContract = true;
+            warnings.push({
+                type: "contract",
+                message:
+                    "This address is a smart contract, not a regular wallet.",
+                severity: "warning",
+            });
+        }
+    } catch (e) {
+        log.errorf("contract check failed:", e.message);
+    }
+
+    // Skip tx count check for contracts — they may legitimately have
+    // zero inbound EOA transactions.
+    if (!isContract) {
+        try {
+            const txCount = await provider.getTransactionCount(address);
+            if (txCount === 0) {
+                warnings.push({
+                    type: "new-address",
+                    message:
+                        "This address has never sent a transaction. Double-check it is correct.",
+                    severity: "info",
+                });
+            }
+        } catch (e) {
+            log.errorf("tx count check failed:", e.message);
+        }
+    }
+
+    // Etherscan label check (best-effort async — network failures are silent).
+    // Runs for ALL addresses including contracts, since many dangerous
+    // flagged addresses on Etherscan (drainers, phishing contracts) are contracts.
+    try {
+        const etherscanWarning = await checkEtherscanLabel(address);
+        if (etherscanWarning) {
+            warnings.push(etherscanWarning);
+        }
+    } catch (e) {
+        log.errorf("etherscan label check failed:", e.message);
+    }
+
+    return warnings;
+}
+
+module.exports = { getLocalWarnings, getFullWarnings };

src/shared/constants.js

@@ -20,6 +20,19 @@ const ERC20_ABI = [
     "function approve(address spender, uint256 amount) returns (bool)",
 ];
 
+// Known null/burn addresses that permanently destroy funds.
+const BURN_ADDRESSES = new Set([
+    "0x0000000000000000000000000000000000000000",
+    "0x0000000000000000000000000000000000000001",
+    "0x000000000000000000000000000000000000dead",
+    "0xdead000000000000000000000000000000000000",
+    "0x00000000000000000000000000000000deadbeef",
+]);
+
+function isBurnAddress(address) {
+    return BURN_ADDRESSES.has(address.toLowerCase());
+}
+
 module.exports = {
     DEBUG,
     DEBUG_MNEMONIC,
@@ -28,4 +41,6 @@ module.exports = {
     DEFAULT_BLOCKSCOUT_URL,
     BIP44_ETH_PATH,
     ERC20_ABI,
+    BURN_ADDRESSES,
+    isBurnAddress,
 };

src/shared/etherscanLabels.js

@@ -0,0 +1,102 @@
+// Etherscan address label lookup via page scraping.
+// Extension users make the requests directly to Etherscan — no proxy needed.
+// This is a best-effort enrichment: network failures return null silently.
+
+const ETHERSCAN_BASE = "https://etherscan.io/address/";
+
+// Patterns in the page title that indicate a flagged address.
+// Title format: "Fake_Phishing184810 | Address: 0x... | Etherscan"
+const PHISHING_LABEL_PATTERNS = [/^Fake_Phishing/i, /^Phish:/i, /^Exploiter/i];
+
+// Patterns in the page body that indicate a scam/phishing warning.
+const SCAM_BODY_PATTERNS = [
+    /used in a\s+(?:\w+\s+)?phishing scam/i,
+    /used in a\s+(?:\w+\s+)?scam/i,
+    /wallet\s+drainer/i,
+];
+
+/**
+ * Parse the Etherscan address page HTML to extract label info.
+ * Exported for unit testing (no fetch needed).
+ *
+ * @param {string} html - Raw HTML of the Etherscan address page.
+ * @returns {{ label: string|null, isPhishing: boolean, warning: string|null }}
+ */
+function parseEtherscanPage(html) {
+    // Extract <title> content
+    const titleMatch = html.match(/<title[^>]*>([^<]+)<\/title>/i);
+    let label = null;
+    let isPhishing = false;
+    let warning = null;
+
+    if (titleMatch) {
+        const title = titleMatch[1].trim();
+        // Title: "LABEL | Address: 0x... | Etherscan" or "Address: 0x... | Etherscan"
+        const labelMatch = title.match(/^(.+?)\s*\|\s*Address:/);
+        if (labelMatch) {
+            const candidate = labelMatch[1].trim();
+            // Only treat as a label if it's not just "Address" (unlabeled addresses)
+            if (candidate.toLowerCase() !== "address") {
+                label = candidate;
+            }
+        }
+    }
+
+    // Check label against phishing patterns
+    if (label) {
+        for (const pat of PHISHING_LABEL_PATTERNS) {
+            if (pat.test(label)) {
+                isPhishing = true;
+                warning = `Etherscan labels this address as "${label}" (Phish/Hack).`;
+                break;
+            }
+        }
+    }
+
+    // Check page body for scam warning banners
+    if (!isPhishing) {
+        for (const pat of SCAM_BODY_PATTERNS) {
+            if (pat.test(html)) {
+                isPhishing = true;
+                warning = label
+                    ? `Etherscan labels this address as "${label}" and reports it was used in a scam.`
+                    : "Etherscan reports this address was flagged for phishing/scam activity.";
+                break;
+            }
+        }
+    }
+
+    return { label, isPhishing, warning };
+}
+
+/**
+ * Fetch an address page from Etherscan and check for scam/phishing labels.
+ * Returns a warning object if the address is flagged, or null.
+ * Network failures return null silently (best-effort check).
+ *
+ * @param {string} address - Ethereum address to check.
+ * @returns {Promise<{type: string, message: string, severity: string}|null>}
+ */
+async function checkEtherscanLabel(address) {
+    try {
+        const resp = await fetch(ETHERSCAN_BASE + address, {
+            headers: { Accept: "text/html" },
+        });
+        if (!resp.ok) return null;
+        const html = await resp.text();
+        const result = parseEtherscanPage(html);
+        if (result.isPhishing) {
+            return {
+                type: "etherscan-phishing",
+                message: result.warning,
+                severity: "critical",
+            };
+        }
+        return null;
+    } catch {
+        // Network errors are expected — Etherscan may rate-limit or block.
+        return null;
+    }
+}
+
+module.exports = { parseEtherscanPage, checkEtherscanLabel };

src/shared/phishingDomains.js

@@ -0,0 +1,238 @@
+// Domain-based phishing detection using a vendored blocklist with delta updates.
+//
+// A community-maintained phishing domain blocklist is vendored in
+// phishingBlocklist.json and bundled at build time. At runtime, we fetch
+// the live list periodically and keep only the delta (new entries not in
+// the vendored list) in memory. This keeps runtime memory usage small.
+//
+// The domain-checker checks the in-memory delta first (fresh/recent scam
+// sites), then falls back to the vendored list.
+//
+// If the delta is under 256 KiB it is persisted to localStorage so it
+// survives extension/service-worker restarts.
+
+const vendoredConfig = require("./phishingBlocklist.json");
+
+const BLOCKLIST_URL =
+    "https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/main/src/config.json";
+
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const REFRESH_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const DELTA_STORAGE_KEY = "phishing-delta";
+const MAX_DELTA_BYTES = 256 * 1024; // 256 KiB
+
+// Vendored sets — built once from the bundled JSON.
+const vendoredBlacklist = new Set(
+    (vendoredConfig.blacklist || []).map((d) => d.toLowerCase()),
+);
+const vendoredWhitelist = new Set(
+    (vendoredConfig.whitelist || []).map((d) => d.toLowerCase()),
+);
+
+// Delta sets — only entries from live list that are NOT in vendored.
+let deltaBlacklist = new Set();
+let deltaWhitelist = new Set();
+let lastFetchTime = 0;
+let fetchPromise = null;
+let refreshTimer = null;
+
+/**
+ * Load delta entries from localStorage on startup.
+ * Called once during module initialization in the background script.
+ */
+function loadDeltaFromStorage() {
+    try {
+        const raw = localStorage.getItem(DELTA_STORAGE_KEY);
+        if (!raw) return;
+        const data = JSON.parse(raw);
+        if (data.blacklist && Array.isArray(data.blacklist)) {
+            deltaBlacklist = new Set(
+                data.blacklist.map((d) => d.toLowerCase()),
+            );
+        }
+        if (data.whitelist && Array.isArray(data.whitelist)) {
+            deltaWhitelist = new Set(
+                data.whitelist.map((d) => d.toLowerCase()),
+            );
+        }
+    } catch {
+        // localStorage unavailable or corrupt — start empty
+    }
+}
+
+/**
+ * Persist delta to localStorage if it fits within MAX_DELTA_BYTES.
+ */
+function saveDeltaToStorage() {
+    try {
+        const data = {
+            blacklist: Array.from(deltaBlacklist),
+            whitelist: Array.from(deltaWhitelist),
+        };
+        const json = JSON.stringify(data);
+        if (json.length < MAX_DELTA_BYTES) {
+            localStorage.setItem(DELTA_STORAGE_KEY, json);
+        } else {
+            // Too large — remove stale key if present
+            localStorage.removeItem(DELTA_STORAGE_KEY);
+        }
+    } catch {
+        // localStorage unavailable — skip silently
+    }
+}
+
+/**
+ * Load a pre-parsed config and compute the delta against the vendored list.
+ * Used for both live fetches and testing.
+ *
+ * @param {{ blacklist?: string[], whitelist?: string[] }} config
+ */
+function loadConfig(config) {
+    const liveBlacklist = (config.blacklist || []).map((d) => d.toLowerCase());
+    const liveWhitelist = (config.whitelist || []).map((d) => d.toLowerCase());
+
+    // Delta = entries in the live list that are NOT in the vendored list
+    deltaBlacklist = new Set(
+        liveBlacklist.filter((d) => !vendoredBlacklist.has(d)),
+    );
+    deltaWhitelist = new Set(
+        liveWhitelist.filter((d) => !vendoredWhitelist.has(d)),
+    );
+
+    lastFetchTime = Date.now();
+    saveDeltaToStorage();
+}
+
+/**
+ * Generate hostname variants for subdomain matching.
+ * "sub.evil.com" yields ["sub.evil.com", "evil.com"].
+ *
+ * @param {string} hostname
+ * @returns {string[]}
+ */
+function hostnameVariants(hostname) {
+    const h = hostname.toLowerCase();
+    const variants = [h];
+    const parts = h.split(".");
+    // Parent domains: a.b.c.d -> b.c.d, c.d
+    for (let i = 1; i < parts.length - 1; i++) {
+        variants.push(parts.slice(i).join("."));
+    }
+    return variants;
+}
+
+/**
+ * Check if a hostname is on the phishing blocklist.
+ * Checks delta first (fresh/recent scam sites), then vendored list.
+ * Whitelisted domains (delta + vendored) are never flagged.
+ *
+ * @param {string} hostname - The hostname to check.
+ * @returns {boolean}
+ */
+function isPhishingDomain(hostname) {
+    if (!hostname) return false;
+    const variants = hostnameVariants(hostname);
+
+    // Whitelist takes priority — check delta whitelist first, then vendored
+    for (const v of variants) {
+        if (deltaWhitelist.has(v) || vendoredWhitelist.has(v)) return false;
+    }
+
+    // Check delta blacklist first (fresh/recent scam sites), then vendored
+    for (const v of variants) {
+        if (deltaBlacklist.has(v) || vendoredBlacklist.has(v)) return true;
+    }
+    return false;
+}
+
+/**
+ * Fetch the latest blocklist and compute delta against vendored data.
+ * De-duplicates concurrent fetches. Results are cached for CACHE_TTL_MS.
+ *
+ * @returns {Promise<void>}
+ */
+async function updatePhishingList() {
+    // Skip if recently fetched
+    if (Date.now() - lastFetchTime < CACHE_TTL_MS && lastFetchTime > 0) {
+        return;
+    }
+
+    // De-duplicate concurrent calls
+    if (fetchPromise) return fetchPromise;
+
+    fetchPromise = (async () => {
+        try {
+            const resp = await fetch(BLOCKLIST_URL);
+            if (!resp.ok) throw new Error("HTTP " + resp.status);
+            const config = await resp.json();
+            loadConfig(config);
+        } catch {
+            // Silently fail — vendored list still provides coverage.
+            // We'll retry next time.
+        } finally {
+            fetchPromise = null;
+        }
+    })();
+
+    return fetchPromise;
+}
+
+/**
+ * Start periodic refresh of the phishing list.
+ * Should be called once from the background script on startup.
+ */
+function startPeriodicRefresh() {
+    if (refreshTimer) return;
+    refreshTimer = setInterval(updatePhishingList, REFRESH_INTERVAL_MS);
+}
+
+/**
+ * Return the total blocklist size (vendored + delta) for diagnostics.
+ *
+ * @returns {number}
+ */
+function getBlocklistSize() {
+    return vendoredBlacklist.size + deltaBlacklist.size;
+}
+
+/**
+ * Return the delta blocklist size for diagnostics.
+ *
+ * @returns {number}
+ */
+function getDeltaSize() {
+    return deltaBlacklist.size;
+}
+
+/**
+ * Reset internal state (for testing).
+ */
+function _reset() {
+    deltaBlacklist = new Set();
+    deltaWhitelist = new Set();
+    lastFetchTime = 0;
+    fetchPromise = null;
+    if (refreshTimer) {
+        clearInterval(refreshTimer);
+        refreshTimer = null;
+    }
+}
+
+// Load persisted delta on module initialization
+loadDeltaFromStorage();
+
+module.exports = {
+    isPhishingDomain,
+    updatePhishingList,
+    startPeriodicRefresh,
+    loadConfig,
+    getBlocklistSize,
+    getDeltaSize,
+    hostnameVariants,
+    _reset,
+    // Exposed for testing only
+    _getVendoredBlacklistSize: () => vendoredBlacklist.size,
+    _getVendoredWhitelistSize: () => vendoredWhitelist.size,
+    _getDeltaBlacklist: () => deltaBlacklist,
+    _getDeltaWhitelist: () => deltaWhitelist,
+};

tests/etherscanLabels.test.js

@@ -0,0 +1,100 @@
+const { parseEtherscanPage } = require("../src/shared/etherscanLabels");
+
+describe("etherscanLabels", () => {
+    describe("parseEtherscanPage", () => {
+        test("detects Fake_Phishing label in title", () => {
+            const html = `<html><head><title>Fake_Phishing184810 | Address: 0x00000c07...3ea470000 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Fake_Phishing184810");
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("Fake_Phishing184810");
+            expect(result.warning).toContain("Phish/Hack");
+        });
+
+        test("detects Fake_Phishing with different number", () => {
+            const html = `<html><head><title>Fake_Phishing5169 | Address: 0x3e0defb8...99a7a8a74 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Fake_Phishing5169");
+            expect(result.isPhishing).toBe(true);
+        });
+
+        test("detects Exploiter label", () => {
+            const html = `<html><head><title>Exploiter 42 | Address: 0xabcdef...1234 | Etherscan</title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Exploiter 42");
+            expect(result.isPhishing).toBe(true);
+        });
+
+        test("detects scam warning in body text", () => {
+            const html =
+                `<html><head><title>Address: 0xabcdef...1234 | Etherscan</title></head>` +
+                `<body>There are reports that this address was used in a Phishing scam.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("phishing/scam");
+        });
+
+        test("detects scam warning with label in body", () => {
+            const html =
+                `<html><head><title>SomeScammer | Address: 0xabcdef...1234 | Etherscan</title></head>` +
+                `<body>There are reports that this address was used in a scam.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("SomeScammer");
+            expect(result.isPhishing).toBe(true);
+            expect(result.warning).toContain("SomeScammer");
+        });
+
+        test("returns clean result for legitimate address", () => {
+            const html = `<html><head><title>vitalik.eth | Address: 0xd8dA6BF2...37aA96045 | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("vitalik.eth");
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("returns clean result for unlabeled address", () => {
+            const html = `<html><head><title>Address: 0x1234567890...abcdef | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("handles exchange labels correctly (not phishing)", () => {
+            const html = `<html><head><title>Coinbase 10 | Address: 0xa9d1e08c...b81d3e43 | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Coinbase 10");
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("handles contract names correctly (not phishing)", () => {
+            const html = `<html><head><title>Beacon Deposit Contract | Address: 0x00000000...03d7705Fa | Etherscan</title></head><body>Overview</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBe("Beacon Deposit Contract");
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("handles empty HTML gracefully", () => {
+            const result = parseEtherscanPage("");
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+            expect(result.warning).toBeNull();
+        });
+
+        test("handles malformed title tag", () => {
+            const html = `<html><head><title></title></head><body></body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.label).toBeNull();
+            expect(result.isPhishing).toBe(false);
+        });
+
+        test("detects wallet drainer warning", () => {
+            const html =
+                `<html><head><title>Address: 0xabc...def | Etherscan</title></head>` +
+                `<body>This is a known wallet drainer contract.</body></html>`;
+            const result = parseEtherscanPage(html);
+            expect(result.isPhishing).toBe(true);
+        });
+    });
+});

tests/phishingDomains.test.js

@@ -0,0 +1,259 @@
+// Provide a localStorage mock for Node.js test environment.
+// Must be set before requiring the module since it calls loadDeltaFromStorage()
+// at module load time.
+const localStorageStore = {};
+global.localStorage = {
+    getItem: (key) =>
+        Object.prototype.hasOwnProperty.call(localStorageStore, key)
+            ? localStorageStore[key]
+            : null,
+    setItem: (key, value) => {
+        localStorageStore[key] = String(value);
+    },
+    removeItem: (key) => {
+        delete localStorageStore[key];
+    },
+};
+
+const {
+    isPhishingDomain,
+    loadConfig,
+    getBlocklistSize,
+    getDeltaSize,
+    hostnameVariants,
+    _reset,
+    _getVendoredBlacklistSize,
+    _getVendoredWhitelistSize,
+    _getDeltaBlacklist,
+    _getDeltaWhitelist,
+} = require("../src/shared/phishingDomains");
+
+// Reset delta state before each test to avoid cross-test contamination.
+// Note: vendored sets are immutable and always present.
+beforeEach(() => {
+    _reset();
+    // Clear localStorage mock between tests
+    for (const key of Object.keys(localStorageStore)) {
+        delete localStorageStore[key];
+    }
+});
+
+describe("phishingDomains", () => {
+    describe("vendored blocklist", () => {
+        test("vendored blacklist is loaded from bundled JSON", () => {
+            // The vendored blocklist should have a large number of entries
+            expect(_getVendoredBlacklistSize()).toBeGreaterThan(100000);
+        });
+
+        test("vendored whitelist is loaded from bundled JSON", () => {
+            expect(_getVendoredWhitelistSize()).toBeGreaterThan(0);
+        });
+
+        test("detects domains from vendored blacklist", () => {
+            // These are well-known phishing domains in the vendored list
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
+        });
+
+        test("vendored whitelist overrides vendored blacklist", () => {
+            // opensea.pro is whitelisted in the vendored config
+            expect(isPhishingDomain("opensea.pro")).toBe(false);
+        });
+
+        test("getBlocklistSize includes vendored entries", () => {
+            expect(getBlocklistSize()).toBeGreaterThan(100000);
+        });
+    });
+
+    describe("hostnameVariants", () => {
+        test("returns exact hostname plus parent domains", () => {
+            const variants = hostnameVariants("sub.evil.com");
+            expect(variants).toEqual(["sub.evil.com", "evil.com"]);
+        });
+
+        test("returns just the hostname for a bare domain", () => {
+            const variants = hostnameVariants("example.com");
+            expect(variants).toEqual(["example.com"]);
+        });
+
+        test("handles deep subdomain chains", () => {
+            const variants = hostnameVariants("a.b.c.d.com");
+            expect(variants).toEqual([
+                "a.b.c.d.com",
+                "b.c.d.com",
+                "c.d.com",
+                "d.com",
+            ]);
+        });
+
+        test("lowercases hostnames", () => {
+            const variants = hostnameVariants("Evil.COM");
+            expect(variants).toEqual(["evil.com"]);
+        });
+    });
+
+    describe("delta computation via loadConfig", () => {
+        test("loadConfig computes delta of new entries not in vendored list", () => {
+            loadConfig({
+                blacklist: [
+                    "brand-new-scam-site-xyz123.com",
+                    "hopprotocol.pro", // already in vendored
+                ],
+                whitelist: [],
+            });
+            // Only the new domain should be in the delta
+            expect(
+                _getDeltaBlacklist().has("brand-new-scam-site-xyz123.com"),
+            ).toBe(true);
+            expect(_getDeltaBlacklist().has("hopprotocol.pro")).toBe(false);
+            expect(getDeltaSize()).toBe(1);
+        });
+
+        test("delta whitelist entries are computed correctly", () => {
+            loadConfig({
+                blacklist: [],
+                whitelist: [
+                    "new-safe-site-xyz789.com",
+                    "opensea.pro", // already in vendored whitelist
+                ],
+            });
+            expect(_getDeltaWhitelist().has("new-safe-site-xyz789.com")).toBe(
+                true,
+            );
+            expect(_getDeltaWhitelist().has("opensea.pro")).toBe(false);
+        });
+
+        test("re-loading config replaces previous delta", () => {
+            loadConfig({
+                blacklist: ["first-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(true);
+
+            loadConfig({
+                blacklist: ["second-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("first-scam-xyz.com")).toBe(false);
+            expect(isPhishingDomain("second-scam-xyz.com")).toBe(true);
+        });
+
+        test("getBlocklistSize includes both vendored and delta", () => {
+            const baseSize = getBlocklistSize();
+            loadConfig({
+                blacklist: ["delta-only-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(getBlocklistSize()).toBe(baseSize + 1);
+        });
+    });
+
+    describe("isPhishingDomain with delta + vendored", () => {
+        test("detects domain from delta blacklist", () => {
+            loadConfig({
+                blacklist: ["fresh-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("fresh-scam-xyz.com")).toBe(true);
+        });
+
+        test("detects domain from vendored blacklist", () => {
+            // No delta loaded — vendored still works
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+        });
+
+        test("returns false for clean domains", () => {
+            expect(isPhishingDomain("etherscan.io")).toBe(false);
+            expect(isPhishingDomain("example.com")).toBe(false);
+        });
+
+        test("detects subdomain of blacklisted domain (vendored)", () => {
+            expect(isPhishingDomain("app.hopprotocol.pro")).toBe(true);
+        });
+
+        test("detects subdomain of blacklisted domain (delta)", () => {
+            loadConfig({
+                blacklist: ["delta-phish-xyz.com"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("sub.delta-phish-xyz.com")).toBe(true);
+        });
+
+        test("delta whitelist overrides vendored blacklist", () => {
+            // hopprotocol.pro is in the vendored blacklist
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            loadConfig({
+                blacklist: [],
+                whitelist: ["hopprotocol.pro"],
+            });
+            // Now whitelisted via delta — should not be flagged
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(false);
+        });
+
+        test("vendored whitelist overrides delta blacklist", () => {
+            loadConfig({
+                blacklist: ["opensea.pro"], // opensea.pro is vendored-whitelisted
+                whitelist: [],
+            });
+            expect(isPhishingDomain("opensea.pro")).toBe(false);
+        });
+
+        test("case-insensitive matching", () => {
+            loadConfig({
+                blacklist: ["Delta-Scam-XYZ.COM"],
+                whitelist: [],
+            });
+            expect(isPhishingDomain("delta-scam-xyz.com")).toBe(true);
+            expect(isPhishingDomain("DELTA-SCAM-XYZ.COM")).toBe(true);
+        });
+
+        test("returns false for empty/null hostname", () => {
+            expect(isPhishingDomain("")).toBe(false);
+            expect(isPhishingDomain(null)).toBe(false);
+        });
+
+        test("handles config with no blacklist/whitelist keys", () => {
+            loadConfig({});
+            expect(getDeltaSize()).toBe(0);
+            // Vendored list still works
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+        });
+    });
+
+    describe("localStorage persistence", () => {
+        test("saveDeltaToStorage persists delta under 256KiB", () => {
+            loadConfig({
+                blacklist: ["persisted-scam-xyz.com"],
+                whitelist: ["persisted-safe-xyz.com"],
+            });
+            const stored = localStorage.getItem("phishing-delta");
+            expect(stored).not.toBeNull();
+            const data = JSON.parse(stored);
+            expect(data.blacklist).toContain("persisted-scam-xyz.com");
+            expect(data.whitelist).toContain("persisted-safe-xyz.com");
+        });
+
+        test("delta is cleared on _reset", () => {
+            loadConfig({
+                blacklist: ["temp-scam-xyz.com"],
+                whitelist: [],
+            });
+            expect(getDeltaSize()).toBe(1);
+            _reset();
+            expect(getDeltaSize()).toBe(0);
+        });
+    });
+
+    describe("real-world blocklist patterns", () => {
+        test("detects known phishing domains from vendored list", () => {
+            expect(isPhishingDomain("uniswap-trade.web.app")).toBe(true);
+            expect(isPhishingDomain("hopprotocol.pro")).toBe(true);
+            expect(isPhishingDomain("blast-pools.pages.dev")).toBe(true);
+        });
+
+        test("does not flag legitimate whitelisted domains", () => {
+            expect(isPhishingDomain("opensea.io")).toBe(false);
+            expect(isPhishingDomain("etherscan.io")).toBe(false);
+        });
+    });
+});