Skip to content

[Bug]: wallet_addEthereumChain adds new default RPC URL without confirmation #12850

Closed
#13883
Closed
[Bug]: wallet_addEthereumChain adds new default RPC URL without confirmation#12850
#13883
Assignees
bergarces
Labels
Sev1-highAn issue that may have caused fund loss or access to wallet in the past & may still be ongoingrelease-7.43.0Issue or pull request that will be included in release 7.43.0team-assetsteam-wallet-api-platform-deprecatedDEPRECATED: please use "team-wallet-integrations" instead
@christopherferreira9

Description

@christopherferreira9
christopherferreira9
opened on Jan 7, 2025

Describe the bug

Following extension, when wallet_addEthereumChain is called for an existing chain, before the active chain switches the user is presented with a confirmation screen warning that a different RPC url is going to be added.
Without this confirmation screen we might be bumping into a phishing potential (see MetaMask/metamask-extension#16712) .

Expected behavior

The user is presented with a confirmation screen warning the user that a new RPC url for the chain he's trying to add is going to be added to the RPC list and this will turn into the default active RPC.

Screenshots/Recordings

overridingrpcurl.mov

Steps to reproduce

  1. Add Polygon in MetaMask and switch back to Mainnet
  2. Open this dapp on the inapp browser
  3. Tap request accounts and connect while having Mainnet as the active chain
  4. Tap AddEthereumChain
  5. Go to the list of chains in the wallet and verify the list of RPC urls under the Polygon

Error messages or log output



Detection stage


In production (default)


Version


7.38.0


Build type


None


Device


iPhone 11


Operating system


iOS, Android


Additional context


Call being made under the AddEthereumChain button:


{
  method: 'wallet_addEthereumChain',
  params: [{
    chainId: '0x89',
    chainName: 'Polygon',
    blockExplorerUrls: ['https://polygonscan.com'],  // notice that this RPC url is different than the one preloaded in MetaMask
    nativeCurrency: { symbol: 'POL', decimals: 18 },
    rpcUrls: ['https://polygon-rpc.com/'],
  }]
}


Severity


No response
Metadata
Metadata
Assignees
Labels
Sev1-highAn issue that may have caused fund loss or access to wallet in the past & may still be ongoingrelease-7.43.0Issue or pull request that will be included in release 7.43.0team-assetsteam-wallet-api-platform-deprecatedDEPRECATED: please use "team-wallet-integrations" instead
Type
No type
Fields
No fields configured for issues without a type.
Projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions