feat: show red warning when sending to address with zero tx history

On the confirm-tx screen, asynchronously check the recipient address via Blockscout API. If the address has never sent or received any transactions (normal or ERC-20), display a prominent red warning. Fails open: network errors silently skip the warning to avoid blocking legitimate sends. Closes #82
2026-02-28 15:00:48 -08:00
2 changed files with 43 additions and 47 deletions
--- a/src/popup/views/confirmTx.js
+++ b/src/popup/views/confirmTx.js
@@ -25,7 +25,7 @@ const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
 const { isScamAddress } = require("../../shared/scamlist");
-const { hasTransactionHistory } = require("../../shared/transactions");
+const { hasZeroTransactionHistory } = require("../../shared/transactions");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -289,28 +289,20 @@ async function estimateGas(txInfo) {
 }

 async function checkRecipientHistory(txInfo) {
-    try {
-        const hasHistory = await hasTransactionHistory(
+    const isNew = await hasZeroTransactionHistory(
        txInfo.to,
        state.blockscoutUrl,
    );
-        if (hasHistory === false) {
+    if (!isNew) return;
+
    const warningsEl = $("confirm-warnings");
-            const warningDiv = document.createElement("div");
-            warningDiv.className =
-                "border border-dashed p-2 mb-1 text-xs font-bold";
-            warningDiv.style.color = "#dc2626";
-            warningDiv.style.borderColor = "#dc2626";
-            warningDiv.textContent =
-                "WARNING: This address has ZERO transaction history on-chain. " +
-                "It has never sent or received any transactions. " +
-                "Double-check the address before sending.";
-            warningsEl.appendChild(warningDiv);
+    const warningHtml =
+        `<div class="border border-red-500 border-dashed p-2 mb-1 text-xs font-bold text-red-500">` +
+        `WARNING: This address has ZERO transaction history. ` +
+        `It has never sent or received any funds. ` +
+        `Double-check the address before sending.</div>`;
+    warningsEl.innerHTML = warningHtml + warningsEl.innerHTML;
    warningsEl.classList.remove("hidden");
-        }
-    } catch (e) {
-        log.errorf("recipient history check failed:", e.message);
-    }
 }

 function init(ctx) {
--- a/src/shared/transactions.js
+++ b/src/shared/transactions.js
@@ -251,36 +251,40 @@ function filterTransactions(txs, filters = {}) {
    return { transactions: filtered, newFraudContracts: newFraud };
 }

-async function hasTransactionHistory(address, blockscoutUrl) {
+/**
+ * Check whether an address has any on-chain transaction history.
+ * Returns true if the address has zero normal transactions AND zero
+ * token transfers on the configured Blockscout instance.
+ * Returns false on network errors (fail-open: don't block sends).
+ */
+async function hasZeroTransactionHistory(address, blockscoutUrl) {
    try {
-        const resp = await debugFetch(blockscoutUrl + "/addresses/" + address);
-        if (!resp.ok) {
-            // If Blockscout returns 404, the address has never been seen on-chain.
-            if (resp.status === 404) return false;
-            log.errorf(
-                "blockscout address check:",
-                resp.status,
-                resp.statusText,
+        const resp = await debugFetch(
+            blockscoutUrl + "/addresses/" + address + "/transactions?limit=1",
        );
-            return null; // unknown
-        }
-        const data = await resp.json();
-        // Blockscout v2 address endpoint returns tx counts.
-        // An address with no history may still exist (e.g. received ETH once
-        // but shows 0 outgoing). We check both transactions_count and
-        // token_transfers_count to be thorough.
-        const txCount =
-            (parseInt(data.transactions_count, 10) || 0) +
-            (parseInt(data.token_transfers_count, 10) || 0);
-        return txCount > 0;
+        if (!resp.ok) return false;
+        const json = await resp.json();
+        if ((json.items || []).length > 0) return false;
+
+        // Also check token transfers — an address may have only received
+        // ERC-20 tokens without any native ETH transactions.
+        const ttResp = await debugFetch(
+            blockscoutUrl +
+                "/addresses/" +
+                address +
+                "/token-transfers?type=ERC-20&limit=1",
+        );
+        if (!ttResp.ok) return false;
+        const ttJson = await ttResp.json();
+        return (ttJson.items || []).length === 0;
    } catch (e) {
-        log.errorf("hasTransactionHistory error:", e.message);
-        return null; // unknown, don't block the user
+        log.errorf("hasZeroTransactionHistory check failed:", e.message);
+        return false;
    }
 }

 module.exports = {
    fetchRecentTransactions,
    filterTransactions,
-    hasTransactionHistory,
+    hasZeroTransactionHistory,
 };