feat: add security alert badges on asset picker#41946
Merged
GeorgeGkas merged 8 commits intoswaps4228-token-warningsfrom Apr 22, 2026
Merged
feat: add security alert badges on asset picker#41946GeorgeGkas merged 8 commits intoswaps4228-token-warningsfrom
GeorgeGkas merged 8 commits intoswaps4228-token-warningsfrom
Conversation
Contributor
✨ Files requiring CODEOWNER review ✨🔄 @MetaMask/swaps-engineers (13 files, +426 -168)
|
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Contributor
Builds ready [32696e9]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Contributor
Builds ready [f7f2d41]
⚡ Performance Benchmarks (Total: 🟢 6 pass · 🟡 8 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Contributor
infiniteflower
left a comment
infiniteflower
left a comment
There was a problem hiding this comment.
Do we need to handle metrics in this PR for token warnings?
Contributor
Author
|
@infiniteflower no metrics handling are required for this task. |
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** This fixes contents overflowing on Settings > Transaction Shield/Claims pages <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: Fix content overflow on Transaction shield pages ## **Related issues** Fixes: ## **Manual testing steps** 1. Login with an account with shield subcscription 2. Go to Menu > Settings > Transaction Shield 3. Make browser height smaller until scroll bar shows up (try scrolling down) 4. Go to Menu > Settings > Transaction Shield > Claims > Submit a claim 5. Try scrolling down ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** https://github.com/user-attachments/assets/f88b6df6-a903-4f04-8029-77675cec0272 <!-- [screenshots/recordings] --> ### **After** https://github.com/user-attachments/assets/a91c6efb-00ba-4543-a9c0-bbc25176b166 <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > UI-only className changes to scrolling/padding with no changes to business logic, data handling, or API behavior. > > **Overview** > Prevents content overflow on Transaction Shield settings screens by making the main page containers vertically scrollable. > > Adds `overflow-y-auto` (and bottom padding) to the root `Box` wrappers in `transaction-shield.tsx`, `manage-shield-plan.tsx` (including its error state), and the Claims `claims-form.tsx` submit page so long content can be scrolled instead of clipping. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 1382db8. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
#41966) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> Simply moves the backup and sync tab and experimental tab to the settings-v2 folder and removes them from the legacy folder. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk refactor that primarily changes route wiring and local imports; main risk is broken navigation/lazy-loading if any import paths or registry entries are incorrect. > > **Overview** > Moves the **Backup & Sync** and **Experimental** settings tabs fully into `ui/pages/settings-v2`, updating their internal imports to use the local `settings-v2` `shared`/`types`/`search-config` modules. > > Updates `settings-v2/settings-registry.ts` to lazy-load these tabs from their new `settings-v2` locations (instead of legacy `ui/pages/settings/*`), and adjusts Jest console baselines to track warnings under the new test file paths. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 00ad86e. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
… balance` (#41994) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** The test is flaky as sometimes there are 2 requests made to the assets API, leading to a different balance (only Tron token). Now we apply the assets mock always, so we ensure we'll always get the same tokens, no matter if 1 or 2 calls happen. <img width="1069" height="510" alt="image" src="https://github.com/user-attachments/assets/598fe429-bebc-4b82-9d20-3a66cfacf47d" /> Failed test had $1.79 without the rest of tokens loaded: <img width="1152" height="836" alt="image" src="https://github.com/user-attachments/assets/26dfc75e-daec-4b19-aeff-484ba0622f0e" /> Expected: all tokens loaded, so balance is $10.58 <img width="1192" height="917" alt="image" src="https://github.com/user-attachments/assets/39faa494-2077-433e-9a9c-a96b4688e744" /> ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** 1. Check ci ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk because changes are confined to E2E test code and mocks; main impact is potential change in test timing/expectations, not production behavior. > > **Overview** > Fixes Tron E2E balance-test flakiness by making the `GET https://tokens.api.cx.metamask.io/v3/assets` mock in `mockTronAssets` apply to every request (via `.always()`), ensuring consistent token lists even when the app calls the endpoint multiple times. > > Simplifies `NonEvmHomepage.checkPageIsLoaded` by removing an extra delay and a custom polling loop, relying on a direct `waitForSelector` when asserting an `amount`, and updates the Tron USD-balance test comment to reflect the expected aggregated fiat total (`$10.18`). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 385911e. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Contributor
Builds ready [2921e10]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
infiniteflower
approved these changes
Apr 21, 2026
Contributor
Builds ready [91dffab]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
|
Contributor
Builds ready [c757780]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The Bridge token list now surfaces security signals returned by the bridge API for each asset. Previously, the token picker only showed a "verified" badge based on the boolean
isVerifiedfield, and thesecurityDataobject from the API response was not being consumed at all — it was silently dropped intoBridgeTokenbecause the field was never destructured from the payload.Changes:
Schema & types (
tokens.ts) — Added theBridgeAssetSecurityDataTypeenum (Info,Benign,Verified,Warning,Spam,Malicious) and theBridgeAssetSecurityDatasuperstruct schema, intersected intoBridgeAssetV2Schemaso the full security payload is validated and typed end-to-end.Bug fix (
utils.ts→toBridgeToken) —securityDatafrom the API payload was never passed through to the returnedBridgeToken. Fixed by destructuring it frompayloadand usingtokenMetadata?.securityData ?? securityDataso locally-cached metadata can override, but the API value is the default. Also updated theisVerifiedderivation to treatsecurityData.type === VERIFIED(fromtokenMetadata) as truthy.AssetBannercomponent (asset-banner.tsx) — Extracted the badge/tag rendering logic fromBridgeAssetinto a dedicated component with three states:VERIFIED(orisVerified: true) → blue verified iconWARNING/SPAM→ "Suspicious" warning tagMALICIOUS→ "Malicious" error tagINFO,BENIGN, absent) → nothing renderedLocale keys — Added
bridgeSuspiciousandbridgeMalicioustoenanden_GB.Tests — New
asset-banner.test.tsxcovers all banner states directly. Verified-badge tests migrated out ofasset.test.tsx. Newutils.test.tscases cover thesecurityDatapayload passthrough and precedence rules.Changelog
CHANGELOG entry: Tokens in the Bridge asset picker now display a "Suspicious" or "Malicious" warning tag for assets flagged by the bridge API security service.
Related issues
Fixes: https://consensyssoftware.atlassian.net/browse/SWAPS-4371
Manual testing steps
securityData.type: "Verified"should show a blue verified icon, same as before.securityData.type: "Warning"or"Spam", a yellow "Suspicious" tag should appear next to the token symbol.securityData.type: "Malicious", a red "Malicious" tag should appear next to the token symbol.securityData.type: "Info","Benign", or nosecurityDatashould show no badge or tag.isVerified: trueshould always show the verified icon, even ifsecurityDataisWarning,Spam, orMalicious.Screenshots/Recordings
Before
After
Pre-merge author checklist
Pre-merge reviewer checklist
Note
Medium Risk
Changes how bridge tokens are typed and how
isVerified/securityDataare derived, which can affect security signaling in the asset picker UI; impact is limited to presentation and token metadata mapping with good test coverage.Overview
Bridge asset data now preserves and validates API-provided
securityData(newBridgeAssetSecurityDataType+ schema), andtoBridgeTokenpropagates it while treatingsecurityData.type === VERIFIEDas verified.The asset picker UI replaces the inline verified icon with a new
AssetBannerthat shows a verified badge, Suspicious tag (Warning/Spam), or Malicious tag, backed by new locale strings and updated/added tests and snapshots.Reviewed by Cursor Bugbot for commit c757780. Bugbot is set up for automated code reviews on this repo. Configure here.