feat: warn when sending to address with zero tx history (#82)

On the confirm-tx screen, asynchronously check the recipient address
via Blockscout API. If the address has never sent or received any
transactions, display a prominent red warning banner.

Closes #82

src/popup/views/confirmTx.js

@@ -25,6 +25,7 @@ const { decryptWithPassword } = require("../../shared/vault");
 const { formatUsd, getPrice } = require("../../shared/prices");
 const { getProvider } = require("../../shared/balances");
 const { isScamAddress } = require("../../shared/scamlist");
+const { hasTransactionHistory } = require("../../shared/transactions");
 const { ERC20_ABI } = require("../../shared/constants");
 const { log } = require("../../shared/log");
 const makeBlockie = require("ethereum-blockies-base64");
@@ -86,42 +87,6 @@ function valueWithUsd(text, usdAmount) {
     return text;
 }
 
-function renderWarnings(warnings) {
-    const warningsEl = $("confirm-warnings");
-    if (warnings.length > 0) {
-        warningsEl.innerHTML = warnings
-            .map(
-                (w) =>
-                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold" style="color:#c00">WARNING: ${w}</div>`,
-            )
-            .join("");
-        warningsEl.classList.remove("hidden");
-    } else {
-        warningsEl.classList.add("hidden");
-    }
-}
-
-async function checkAddressHistory(address, existingWarnings) {
-    try {
-        const provider = getProvider(state.rpcUrl);
-        const [balance, txCount] = await Promise.all([
-            provider.getBalance(address),
-            provider.getTransactionCount(address),
-        ]);
-        if (balance === 0n && txCount === 0) {
-            const warnings = existingWarnings.slice();
-            warnings.push(
-                "This address has ZERO transaction history. " +
-                    "It has never sent or received funds. " +
-                    "Double-check that the address is correct before sending.",
-            );
-            renderWarnings(warnings);
-        }
-    } catch (e) {
-        log.errorf("address history check failed:", e.message);
-    }
-}
-
 function show(txInfo) {
     pendingTx = txInfo;
 
@@ -212,10 +177,18 @@ function show(txInfo) {
         warnings.push("You are sending to your own address.");
     }
 
-    renderWarnings(warnings);
+    const warningsEl = $("confirm-warnings");
-
+    if (warnings.length > 0) {
-    // Async check: warn if destination address has zero transaction history
+        warningsEl.innerHTML = warnings
-    checkAddressHistory(txInfo.to, warnings);
+            .map(
+                (w) =>
+                    `<div class="border border-border border-dashed p-2 mb-1 text-xs font-bold">WARNING: ${w}</div>`,
+            )
+            .join("");
+        warningsEl.classList.remove("hidden");
+    } else {
+        warningsEl.classList.add("hidden");
+    }
 
     // Check for errors
     const errors = [];
@@ -272,6 +245,7 @@ function show(txInfo) {
     showView("confirm-tx");
 
     estimateGas(txInfo);
+    checkRecipientHistory(txInfo);
 }
 
 async function estimateGas(txInfo) {
@@ -314,6 +288,31 @@ async function estimateGas(txInfo) {
     }
 }
 
+async function checkRecipientHistory(txInfo) {
+    try {
+        const hasHistory = await hasTransactionHistory(
+            txInfo.to,
+            state.blockscoutUrl,
+        );
+        if (hasHistory === false) {
+            const warningsEl = $("confirm-warnings");
+            const warningDiv = document.createElement("div");
+            warningDiv.className =
+                "border border-dashed p-2 mb-1 text-xs font-bold";
+            warningDiv.style.color = "#dc2626";
+            warningDiv.style.borderColor = "#dc2626";
+            warningDiv.textContent =
+                "WARNING: This address has ZERO transaction history on-chain. " +
+                "It has never sent or received any transactions. " +
+                "Double-check the address before sending.";
+            warningsEl.appendChild(warningDiv);
+            warningsEl.classList.remove("hidden");
+        }
+    } catch (e) {
+        log.errorf("recipient history check failed:", e.message);
+    }
+}
+
 function init(ctx) {
     $("btn-confirm-send").addEventListener("click", async () => {
         const password = $("confirm-tx-password").value;

src/shared/transactions.js

@@ -251,4 +251,36 @@ function filterTransactions(txs, filters = {}) {
     return { transactions: filtered, newFraudContracts: newFraud };
 }
 
-module.exports = { fetchRecentTransactions, filterTransactions };
+async function hasTransactionHistory(address, blockscoutUrl) {
+    try {
+        const resp = await debugFetch(blockscoutUrl + "/addresses/" + address);
+        if (!resp.ok) {
+            // If Blockscout returns 404, the address has never been seen on-chain.
+            if (resp.status === 404) return false;
+            log.errorf(
+                "blockscout address check:",
+                resp.status,
+                resp.statusText,
+            );
+            return null; // unknown
+        }
+        const data = await resp.json();
+        // Blockscout v2 address endpoint returns tx counts.
+        // An address with no history may still exist (e.g. received ETH once
+        // but shows 0 outgoing). We check both transactions_count and
+        // token_transfers_count to be thorough.
+        const txCount =
+            (parseInt(data.transactions_count, 10) || 0) +
+            (parseInt(data.token_transfers_count, 10) || 0);
+        return txCount > 0;
+    } catch (e) {
+        log.errorf("hasTransactionHistory error:", e.message);
+        return null; // unknown, don't block the user
+    }
+}
+
+module.exports = {
+    fetchRecentTransactions,
+    filterTransactions,
+    hasTransactionHistory,
+};