Skip to content

fix: stop showing incoming transactions#240

Open
ulissesferreira wants to merge 7 commits intomainfrom
NEB-723-do-not-show-incoming-transactions
Open

fix: stop showing incoming transactions#240
ulissesferreira wants to merge 7 commits intomainfrom
NEB-723-do-not-show-incoming-transactions

Conversation

@ulissesferreira
Copy link
Contributor

@ulissesferreira ulissesferreira commented Mar 17, 2026
edited by cursor bot
Loading

Explanation

Incoming/received transactions pose an address poisoning risk. Attackers send small token amounts to a user's address so that their (attacker's) address -- often visually similar to a legitimate one -- appears in the user's transaction history. Users may then accidentally copy and reuse the attacker's address for future transfers.

This PR stops mapping all incoming (receive) transactions in TransactionMapper. Only outbound transactions (send, swap, stake deposit, stake withdraw) and unknown/approval types are now mapped and returned to the client.

What changed

TransactionsMapper.ts -- receive filtering is centralized at two aggregation boundaries instead of scattered across individual mappers:

  1. mapTransaction -- the switch now assigns to a mapped variable instead of returning directly, and a single post-dispatch check filters out any result with type === TransactionType.Receive. This covers all raw transaction types (native TRX, TRC10, TRC20, staking) in one place.
  2. mapTransactions -- the TRC20-only loop (for transactions not covered by raw data) has a single mappedTx.type !== TransactionType.Receive guard.

Individual mappers (#mapTransferContract, #mapTransferAssetContract, #mapTriggerSmartContract, #mapTrc20OnlyTransaction) remain unchanged in their mapping logic -- they still compute the type via #computeTransactionType, but no longer contain duplicate receive checks.

Staking (StakeDeposit / StakeWithdraw) and swap transactions are not affected -- they use dedicated types that are never Receive.

TransactionsMapper.test.ts:

  • Added explicit test: native TRX receive returns null
  • Updated 5 existing tests that previously asserted TransactionType.Receive to now assert null / empty results
  • Updated mapTransactions batch tests to reflect reduced counts (incoming transactions excluded)
  • All 31 tests pass (608 total across the full suite)

snap.manifest.json:

  • shasum updated to match the new build output

jest.config.js:

  • Coverage thresholds adjusted to reflect the refactored branch/line/statement coverage

CHANGELOG.md:

  • Added entry under [Unreleased] > Changed

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them
Open in Web Open in Cursor 

@cursoragent
fix: filter out incoming transactions to prevent address poisoning
27653fd 
Incoming/received transactions are now excluded from transaction mapping
to mitigate address poisoning attacks. Only outbound transactions (send,
swap, stake, unstake) are mapped and displayed to users.

Changes:
- TransactionsMapper: return null for Receive type in all mapping methods
  (#mapTransferContract, #mapTransferAssetContract, #mapTriggerSmartContract,
  #mapTrc20OnlyTransaction)
- Updated #mapTransferAssetContract return type to Transaction | null
- Updated tests to verify incoming transactions are filtered out
- Updated snap.manifest.json with new shasum

Refs: NEB-723
@cursoragent
chore: update coverage thresholds after receive transaction filtering
892d79d
@cursoragent
docs: update JSDoc for #mapTrc20OnlyTransaction after receive filtering
6e22f11
@cursoragent
docs: add CHANGELOG entry for incoming transaction filtering
5841e2c
@cursoragent
refactor: centralize receive transaction filtering in mapTransaction
7932d59 
Move the 4 scattered receive-type checks from individual mapping methods
(#mapTransferContract, #mapTransferAssetContract, #mapTriggerSmartContract,

1. mapTransaction: single post-dispatch check covers all raw tx types
2. mapTransactions: single check in the TRC20-only loop

This reduces duplication and makes the filtering intent explicit at the
dispatch level rather than buried in each mapper.
@cursoragent
chore: update coverage thresholds after centralized filtering refactor
4a4b0ca
@cursoragent
fix: resolve rebase conflicts and relocate CHANGELOG entry to Unreleased
18dcb8d 
After rebasing onto the 1.24.0 release, the CHANGELOG entry was
incorrectly placed under [1.24.0]. Moved it to [Unreleased] where
it belongs. Rebuilt snap to update shasum.
@cursor cursor bot force-pushed the NEB-723-do-not-show-incoming-transactions branch from 563344f to 18dcb8d Compare March 18, 2026 14:19
@ulissesferreira ulissesferreira marked this pull request as ready for review March 18, 2026 14:22
@ulissesferreira ulissesferreira requested a review from a team as a code owner March 18, 2026 14:22
@ulissesferreira ulissesferreira changed the title feat: stop showing incoming transactions fix: stop showing incoming transactions Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulissesferreira @cursoragent