Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 551ed17. Configure here.
packages/transaction-pay-controller/src/utils/source-amounts.ts
Outdated
Show resolved
Hide resolved
| * Default interval for re-scanning stored SPL (`token:`) assets with Blockaid. | ||
| * Once per day limits API load while still catching tokens reclassified after add. | ||
| */ | ||
| const DEFAULT_BLOCKAID_TOKEN_RESCAN_INTERVAL_MS = 24 * 60 * 60 * 1000; |
There was a problem hiding this comment.
I think doing once a day is reasonable, unless anyone disagrees. More than that i believe would be a bit overkill
|
|
||
| // TODO: make this controller extends StaticIntervalPollingController and update all assetsMetadata once a day. | ||
| /** Phishing API allows at most this many token addresses per bulk scan request. */ | ||
| const BLOCKAID_BULK_TOKEN_SCAN_BATCH_SIZE = 100; |
There was a problem hiding this comment.
is this because of the DynamoDB limit ?
There was a problem hiding this comment.
The bulkScanTokens in core has already a hardcoded limit of 100, so i think it makes sense for this to not send anything more than that
| try { | ||
| return parseCaipAssetType(asset).assetNamespace === 'token'; | ||
| } catch { | ||
| return false; |
There was a problem hiding this comment.
can we log the error here , this should never throw in theory
| return keptTokenAssets.has(asset); | ||
| } | ||
| } catch { | ||
| return false; |
There was a problem hiding this comment.
same here , in theory this should never throw and the try catch is not needed , but let's just log it
3 participants
Explanation
Tightens Blockaid bulk token scanning for auto-detected multichain token: assets and adds a periodic re-scan so holdings that later flip to malicious can be dropped without relying on a one-time scan at add time.
References
Checklist
Note
Medium Risk
Changes token auto-detection behavior to require successful Blockaid scan results and introduces periodic polling that can remove previously stored tokens, which may affect asset visibility and relies on external scan availability.
Overview
Adds a periodic Blockaid re-scan to
MultichainAssetsController(now aStaticIntervalPollingController) to re-evaluate stored SPL-styletoken:assets and automatically ignore/remove any that later become malicious; interval is configurable viablockaidTokenRescanIntervaland can be disabled.Tightens Blockaid filtering for newly auto-detected
token:assets to fail closed: tokens are only added whenPhishingController:bulkScanTokensreturns an explicit non-malicious result, and tokens are dropped when scans error, return empty, omit an address, or when a batch fails.Updates tests to cover the new fail-closed semantics, batching behavior, and periodic rescan scenarios, and documents the behavior in the package changelog (also removes prior eslint suppression entries for this controller).
Reviewed by Cursor Bugbot for commit 07b8cfa. Bugbot is set up for automated code reviews on this repo. Configure here.