Skip to content

feat: filter malicious non-evm activity transactions#42176

Merged
n3ps merged 2 commits intomainfrom
n3ps/non-evm-spam-filter
Apr 28, 2026
Merged

feat: filter malicious non-evm activity transactions#42176
n3ps merged 2 commits intomainfrom
n3ps/non-evm-spam-filter

Conversation

@n3ps
Copy link
Copy Markdown
Contributor

@n3ps n3ps commented Apr 27, 2026
edited
Loading

Description

Filter non-EVM activity when a token in the transaction is already marked Malicious in tokenScanCache

Changelog

CHANGELOG entry: feat: filter malicious non-evm activity transactions

Related issues

Fixes:

Manual testing steps

Go to this Activity tab of a known account with scam transactions

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Medium Risk
Changes which non-EVM transactions are shown by filtering activity based on tokenScanCache trust results, which could unintentionally hide legitimate transactions if scan keys or cache entries are wrong. Scope is limited to UI selectors/rendering and adds test coverage.

Overview
Non-EVM activity rows are now filtered out when any fungible token in the transaction is already marked Malicious in tokenScanCache. ActivityList switches to a new selector (selectNonEvmTransactionsForActivity) so the merged activity feed excludes flagged Solana token movements while leaving native-only and unscanned transactions visible.

This introduces a shared token-scan utility for generating normalized cache keys and extracting token scan keys from non-EVM transaction movements/fees, plus a new selectTokenScanResults selector and exports getTokenScanCache for reuse. Adds unit/integration tests covering key generation, key collection, selector filtering behavior, and ActivityList rendering for malicious vs non-malicious non-EVM transactions.

Reviewed by Cursor Bugbot for commit ecf4d30. Bugbot is set up for automated code reviews on this repo. Configure here.

@n3ps
feat: filter malicious non-evm activity transactions
2614f64 
Co-authored-by: Copilot <copilot@github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamaskbot metamaskbot added the team-core-extension-ux Core Extension UX team label Apr 27, 2026
n3ps
n3ps commented Apr 27, 2026
View reviewed changes
Comment thread ui/helpers/utils/token-cache-utils.ts Outdated
Copy link
Copy Markdown
Contributor Author

@n3ps n3ps Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to token-scan.ts

@metamaskbotv2
Copy link
Copy Markdown
Contributor

metamaskbotv2 Bot commented Apr 27, 2026

✨ Files requiring CODEOWNER review ✨

👨‍🔧 @MetaMask/core-extension-ux (2 files, +150 -11)
  • 📁 ui/
    • 📁 components/
      • 📁 multichain/
        • 📁 activity-v2/
          • 📄 activity-list.test.tsx +130 -0
          • 📄 activity-list.tsx +20 -11

@n3ps n3ps force-pushed the n3ps/non-evm-spam-filter branch from d680342 to 03683a5 Compare April 27, 2026 19:08
@n3ps n3ps force-pushed the n3ps/non-evm-spam-filter branch from 03683a5 to 108052d Compare April 27, 2026 19:18
@n3ps n3ps marked this pull request as ready for review April 27, 2026 19:23
@n3ps n3ps requested a review from a team as a code owner April 27, 2026 19:23
@n3ps n3ps enabled auto-merge April 27, 2026 19:23
cursor[bot]
cursor Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread ui/selectors/activity.ts
@metamaskbotv2
Copy link
Copy Markdown
Contributor

metamaskbotv2 Bot commented Apr 27, 2026

Builds ready [108052d]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 25014698954 | Baseline logs

Interaction Benchmarks · Samples: 5
Benchmarkchrome-browserify
loadNewAccount
[Sentry log · main/release]		🟡 [CI log]
confirmTx
[Sentry log · main/release]		🟡 [CI log]
bridgeUserActions
[Sentry log · main/release]		🟡 [CI log]

📈 Results compared to the previous 5 runs on main

  • loadNewAccount/load_new_account: -69%
  • loadNewAccount/total: -69%
  • bridgeUserActions/bridge_load_page: -18%
  • bridgeUserActions/bridge_load_asset_picker: -29%
  • bridgeUserActions/bridge_search_token: -25%
  • bridgeUserActions/total: -27%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 loadNewAccount/FCP: p75 2.6s
  • 🟡 confirmTx/FCP: p75 2.5s
  • 🟡 bridgeUserActions/FCP: p75 2.6s
Startup Benchmarks · Samples: 100
Benchmarkchrome-browserifychrome-webpackfirefox-browserifyfirefox-webpack
startupStandardHome
[Sentry log · main/release]		🟢 [CI log]🟢 [CI log]🟢 [CI log]🟢 [CI log]

📈 Results compared to the previous 5 runs on main

  • startupStandardHome/uiStartup: -22%
  • startupStandardHome/load: -10%
  • startupStandardHome/domContentLoaded: -13%
  • startupStandardHome/backgroundConnect: +15%
  • startupStandardHome/initialActions: -33%
  • startupStandardHome/loadScripts: -17%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -21%
  • startupStandardHome/load: -16%
  • startupStandardHome/domContentLoaded: -16%
  • startupStandardHome/domInteractive: -13%
  • startupStandardHome/firstPaint: -40%
  • startupStandardHome/backgroundConnect: -36%
  • startupStandardHome/firstReactRender: -27%
  • startupStandardHome/loadScripts: -16%
  • startupStandardHome/setupStore: -13%
  • startupStandardHome/numNetworkReqs: -44%
  • startupStandardHome/uiStartup: -27%
  • startupStandardHome/load: -20%
  • startupStandardHome/domContentLoaded: -21%
  • startupStandardHome/domInteractive: -68%
  • startupStandardHome/firstReactRender: -20%
  • startupStandardHome/initialActions: -33%
  • startupStandardHome/loadScripts: -21%
  • startupStandardHome/setupStore: -32%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -14%
  • startupStandardHome/domInteractive: -44%
  • startupStandardHome/initialActions: +14%
  • startupStandardHome/setupStore: -64%
  • startupStandardHome/numNetworkReqs: -37%
User Journey Benchmarks · Samples: 5 · mock API

📈 Results compared to the previous 5 runs on main

  • onboardingImportWallet/srpButtonToSrpForm: -86%
  • onboardingImportWallet/metricsToWalletReadyScreen: -39%
  • onboardingImportWallet/doneButtonToHomeScreen: -76%
  • onboardingImportWallet/openAccountMenuToAccountListLoaded: +18%
  • onboardingImportWallet/total: -45%
  • onboardingNewWallet/srpButtonToPwForm: -79%
  • onboardingNewWallet/createPwToRecoveryScreen: -11%
  • onboardingNewWallet/skipBackupToMetricsScreen: -70%
  • onboardingNewWallet/agreeButtonToOnboardingSuccess: -28%
  • onboardingNewWallet/doneButtonToAssetList: -31%
  • onboardingNewWallet/total: -31%
  • assetDetails/assetClickToPriceChart: -42%
  • assetDetails/total: -42%
  • solanaAssetDetails/assetClickToPriceChart: -69%
  • solanaAssetDetails/total: -69%
  • importSrpHome/loginToHomeScreen: -12%
  • importSrpHome/openAccountMenuAfterLogin: -56%
  • importSrpHome/homeAfterImportWithNewWallet: -68%
  • importSrpHome/total: -61%
  • sendTransactions/openSendPageFromHome: -12%
  • sendTransactions/selectTokenToSendFormLoaded: -35%
  • sendTransactions/reviewTransactionToConfirmationPage: +35%
  • sendTransactions/total: +32%
  • swap/openSwapPageFromHome: -97%
  • swap/fetchAndDisplaySwapQuotes: +31%
  • swap/total: +10%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 assetDetails/FCP: p75 2.6s
  • 🟡 solanaAssetDetails/FCP: p75 2.6s
  • 🟡 importSrpHome/FCP: p75 2.5s
  • 🟡 sendTransactions/FCP: p75 2.4s
  • 🟡 swap/FCP: p75 2.4s
Dapp Page Load Benchmarks · Samples: 100
Benchmarkchrome-browserify
dappPageLoad
[Sentry log · main/release]		🟢 [CI log]
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 924 Bytes (0.02%)
  • ui: -76 Bytes (0%)
  • common: 4.51 KiB (0.04%)

@n3ps n3ps force-pushed the n3ps/non-evm-spam-filter branch from 108052d to 0d0bf6d Compare April 27, 2026 19:53
cursor[bot]
cursor Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 0d0bf6d. Configure here.

Comment thread ui/selectors/activity.ts Outdated
@metamaskbotv2
Copy link
Copy Markdown
Contributor

metamaskbotv2 Bot commented Apr 27, 2026

Builds ready [0d0bf6d]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 25016253859 | Baseline logs

Interaction Benchmarks · Samples: 5
Benchmarkchrome-browserify
loadNewAccount
[Sentry log · main/release]		🟡 [CI log]
confirmTx
[Sentry log · main/release]		🟡 [CI log]
bridgeUserActions
[Sentry log · main/release]		🟡 [CI log]

📈 Results compared to the previous 5 runs on main

  • loadNewAccount/load_new_account: -55%
  • loadNewAccount/total: -55%
  • bridgeUserActions/bridge_load_page: -21%
  • bridgeUserActions/bridge_load_asset_picker: -39%
  • bridgeUserActions/bridge_search_token: -27%
  • bridgeUserActions/total: -27%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 loadNewAccount/FCP: p75 2.5s
  • 🟡 confirmTx/FCP: p75 2.5s
  • 🟡 bridgeUserActions/FCP: p75 2.5s
Startup Benchmarks · Samples: 100
Benchmarkchrome-browserifychrome-webpackfirefox-browserifyfirefox-webpack
startupStandardHome
[Sentry log · main/release]		🟢 [CI log]🟢 [CI log]🟢 [CI log]🟢 [CI log]

📈 Results compared to the previous 5 runs on main

  • startupStandardHome/uiStartup: -23%
  • startupStandardHome/load: -11%
  • startupStandardHome/domContentLoaded: -13%
  • startupStandardHome/backgroundConnect: +14%
  • startupStandardHome/firstReactRender: -10%
  • startupStandardHome/initialActions: -33%
  • startupStandardHome/loadScripts: -17%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -19%
  • startupStandardHome/load: -14%
  • startupStandardHome/domContentLoaded: -14%
  • startupStandardHome/firstPaint: +12%
  • startupStandardHome/backgroundConnect: -37%
  • startupStandardHome/firstReactRender: -23%
  • startupStandardHome/loadScripts: -14%
  • startupStandardHome/setupStore: -13%
  • startupStandardHome/numNetworkReqs: -44%
  • startupStandardHome/uiStartup: -15%
  • startupStandardHome/domInteractive: -64%
  • startupStandardHome/initialActions: -33%
  • startupStandardHome/setupStore: -17%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -20%
  • startupStandardHome/load: -12%
  • startupStandardHome/domContentLoaded: -12%
  • startupStandardHome/domInteractive: -73%
  • startupStandardHome/backgroundConnect: -11%
  • startupStandardHome/initialActions: +14%
  • startupStandardHome/loadScripts: -12%
  • startupStandardHome/setupStore: -70%
  • startupStandardHome/numNetworkReqs: -37%
User Journey Benchmarks · Samples: 5 · mock API

📈 Results compared to the previous 5 runs on main

  • onboardingImportWallet/srpButtonToSrpForm: -84%
  • onboardingImportWallet/metricsToWalletReadyScreen: -47%
  • onboardingImportWallet/doneButtonToHomeScreen: -76%
  • onboardingImportWallet/openAccountMenuToAccountListLoaded: +26%
  • onboardingImportWallet/total: -44%
  • onboardingNewWallet/srpButtonToPwForm: -77%
  • onboardingNewWallet/skipBackupToMetricsScreen: -67%
  • onboardingNewWallet/doneButtonToAssetList: -35%
  • onboardingNewWallet/total: -34%
  • assetDetails/assetClickToPriceChart: -46%
  • assetDetails/total: -46%
  • solanaAssetDetails/assetClickToPriceChart: -51%
  • solanaAssetDetails/total: -51%
  • importSrpHome/loginToHomeScreen: -16%
  • importSrpHome/openAccountMenuAfterLogin: -69%
  • importSrpHome/homeAfterImportWithNewWallet: -68%
  • importSrpHome/total: -61%
  • sendTransactions/openSendPageFromHome: -15%
  • sendTransactions/selectTokenToSendFormLoaded: +90%
  • sendTransactions/reviewTransactionToConfirmationPage: +35%
  • sendTransactions/total: +36%
  • swap/openSwapPageFromHome: -96%
  • swap/fetchAndDisplaySwapQuotes: +31%
  • swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 assetDetails/FCP: p75 2.7s
  • 🟡 solanaAssetDetails/FCP: p75 2.5s
  • 🟡 importSrpHome/FCP: p75 2.5s
  • 🟡 sendTransactions/INP: p75 224ms
  • 🟡 sendTransactions/FCP: p75 2.5s
  • 🟡 swap/FCP: p75 2.4s
Dapp Page Load Benchmarks · Samples: 100
Benchmarkchrome-browserify
dappPageLoad
[Sentry log · main/release]		🟢 [CI log]
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 924 Bytes (0.02%)
  • ui: -807 Bytes (-0.01%)
  • common: 4.51 KiB (0.04%)

@n3ps n3ps force-pushed the n3ps/non-evm-spam-filter branch from 0d0bf6d to 6fbc4cd Compare April 28, 2026 01:21
@github-project-automation github-project-automation Bot moved this to Needs dev review in PR review queue Apr 28, 2026
@n3ps n3ps force-pushed the n3ps/non-evm-spam-filter branch from 6fbc4cd to ecf4d30 Compare April 28, 2026 01:24
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
91.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@metamaskbotv2
Copy link
Copy Markdown
Contributor

metamaskbotv2 Bot commented Apr 28, 2026

Builds ready [ecf4d30]
⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 25028738668 | Baseline logs

Interaction Benchmarks · Samples: 5
Benchmarkchrome-browserify
loadNewAccount
[Sentry log · main/release]		🟡 [CI log]
confirmTx
[Sentry log · main/release]		🟡 [CI log]
bridgeUserActions
[Sentry log · main/release]		🟡 [CI log]

📈 Results compared to the previous 5 runs on main

  • loadNewAccount/load_new_account: -77%
  • loadNewAccount/total: -77%
  • bridgeUserActions/bridge_load_page: -29%
  • bridgeUserActions/bridge_load_asset_picker: -31%
  • bridgeUserActions/bridge_search_token: -19%
  • bridgeUserActions/total: -28%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 loadNewAccount/FCP: p75 2.5s
  • 🟡 confirmTx/FCP: p75 2.5s
  • 🟡 bridgeUserActions/FCP: p75 2.6s
Startup Benchmarks · Samples: 100
Benchmarkchrome-browserifychrome-webpackfirefox-browserifyfirefox-webpack
startupStandardHome
[Sentry log · main/release]		🟢 [CI log]🟢 [CI log]🟢 [CI log]🟢 [CI log]

📈 Results compared to the previous 5 runs on main

  • startupStandardHome/uiStartup: -25%
  • startupStandardHome/load: -15%
  • startupStandardHome/domContentLoaded: -16%
  • startupStandardHome/firstPaint: -22%
  • startupStandardHome/backgroundConnect: +13%
  • startupStandardHome/firstReactRender: -18%
  • startupStandardHome/initialActions: -33%
  • startupStandardHome/loadScripts: -21%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -25%
  • startupStandardHome/load: -21%
  • startupStandardHome/domContentLoaded: -20%
  • startupStandardHome/backgroundConnect: -43%
  • startupStandardHome/firstReactRender: -27%
  • startupStandardHome/loadScripts: -20%
  • startupStandardHome/setupStore: -13%
  • startupStandardHome/numNetworkReqs: -44%
  • startupStandardHome/uiStartup: -13%
  • startupStandardHome/domInteractive: -61%
  • startupStandardHome/initialActions: +33%
  • startupStandardHome/setupStore: -17%
  • startupStandardHome/numNetworkReqs: -37%
  • startupStandardHome/uiStartup: -11%
  • startupStandardHome/domInteractive: -57%
  • startupStandardHome/initialActions: -43%
  • startupStandardHome/setupStore: -64%
  • startupStandardHome/numNetworkReqs: -37%
User Journey Benchmarks · Samples: 5 · mock API

📈 Results compared to the previous 5 runs on main

  • onboardingImportWallet/srpButtonToSrpForm: -83%
  • onboardingImportWallet/metricsToWalletReadyScreen: -38%
  • onboardingImportWallet/doneButtonToHomeScreen: -78%
  • onboardingImportWallet/openAccountMenuToAccountListLoaded: +27%
  • onboardingImportWallet/total: -43%
  • onboardingNewWallet/srpButtonToPwForm: -77%
  • onboardingNewWallet/skipBackupToMetricsScreen: -67%
  • onboardingNewWallet/doneButtonToAssetList: -23%
  • onboardingNewWallet/total: -24%
  • assetDetails/assetClickToPriceChart: -49%
  • assetDetails/total: -49%
  • solanaAssetDetails/assetClickToPriceChart: -68%
  • solanaAssetDetails/total: -68%
  • importSrpHome/loginToHomeScreen: -17%
  • importSrpHome/openAccountMenuAfterLogin: -69%
  • importSrpHome/homeAfterImportWithNewWallet: -69%
  • importSrpHome/total: -62%
  • sendTransactions/openSendPageFromHome: -27%
  • sendTransactions/selectTokenToSendFormLoaded: -14%
  • sendTransactions/reviewTransactionToConfirmationPage: +35%
  • sendTransactions/total: +33%
  • swap/openSwapPageFromHome: -96%
  • swap/fetchAndDisplaySwapQuotes: +31%
  • swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

  • 🟡 assetDetails/FCP: p75 2.5s
  • 🟡 solanaAssetDetails/FCP: p75 2.5s
  • 🟡 importSrpHome/FCP: p75 2.5s
  • 🟡 sendTransactions/FCP: p75 2.4s
  • 🟡 swap/FCP: p75 2.4s
Dapp Page Load Benchmarks · Samples: 100
Benchmarkchrome-browserify
dappPageLoad
[Sentry log · main/release]		🟢 [CI log]
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 4.05 KiB (0.07%)
  • ui: 332 Bytes (0%)
  • common: 58.76 KiB (0.46%)

@n3ps n3ps added this pull request to the merge queue Apr 28, 2026
@github-project-automation github-project-automation Bot moved this from Needs dev review to Review finalised - Ready to be merged in PR review queue Apr 28, 2026
Merged via the queue into main with commit 97b4823 Apr 28, 2026
404 of 406 checks passed
@n3ps n3ps deleted the n3ps/non-evm-spam-filter branch April 28, 2026 17:46
@github-project-automation github-project-automation Bot moved this from Review finalised - Ready to be merged to Merged, Closed or Archived in PR review queue Apr 28, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 28, 2026
@metamaskbot metamaskbot added the release-13.30.0 Issue or pull request that will be included in release 13.30.0 label Apr 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@DDDDDanica DDDDDanica DDDDDanica approved these changes

@NidhiKJha NidhiKJha NidhiKJha approved these changes

Assignees

No one assigned

Labels

release-13.30.0 Issue or pull request that will be included in release 13.30.0 size-L team-core-extension-ux Core Extension UX team

Projects

PR review queue
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@n3ps @DDDDDanica @NidhiKJha @metamaskbot