fix: use streaming decompression with size limit for deeplink payloads

[chakra-guy]

Description

The deeplink connection flow (metamask://connect/mwp?p=<payload>&c=1) checks payload size only on the compressed, base64-encoded input (1 MB limit) but not on the decompressed output. A crafted compressed payload within this limit can expand to hundreds of megabytes during decompression, exhausting heap memory and crashing the app.

This was identified as a finding in the Cyfrin security audit: Cyfrin audit issue #4

The fix switches from pako's one-shot inflate() to the streaming Inflate class, wrapping the default onData handler with a size guard that tracks cumulative output bytes and throws as soon as output exceeds 5 MB. This aborts decompression early without ever allocating the full bomb payload in memory. The 5 MB limit is generous (real connection request payloads are well under 10 KB) and the existing 1 MB pre-decompression check remains in place as a first line of defense.

Changelog

CHANGELOG entry: Fixed a potential decompression bomb vulnerability in the deeplink connection flow by adding streaming output size limits

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/WAPI-1131
Refs: https://github.com/Cyfrin/audit-2026-02-metamask-connect/issues/4

Manual testing steps

Not applicable.

Screenshots/Recordings

Not applicable.

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 85%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are isolated to the SDKConnectV2 compression utility (compression-utils.ts) which handles decompression of deeplink payloads for mobile wallet protocol connections. The modifications:

1. Security Enhancement: Switches from inflate to streaming Inflate from pako to prevent decompression bomb attacks by tracking cumulative output size
2. Size Limit: Adds a 5MB maximum decompressed payload size limit
3. Better Error Handling: Adds proper error handling for size limit exceeded and decompression failures

The changes are:

• Internal implementation changes that don't alter the external API for valid payloads
• Well-covered by updated unit tests that verify round-trip compression, size limit enforcement, and corrupt data handling
• Isolated to the SDKConnectV2 module which handles deeplink-based dApp connections (different from browser-based dApp connections)

None of the available E2E test tags directly test SDKConnectV2 deeplink handling. The existing E2E tests focus on browser-based dApp connections (SmokeNetworkExpansion, SmokeMultiChainAPI) which use different code paths. The SDKConnectV2 module is used for QR code scanning and SDK disconnect modal, but these flows aren't covered by the available test tags.

Since this is a security fix with comprehensive unit test coverage and doesn't change behavior for valid payloads, no E2E tests are required.

Performance Test Selection:
The changes are to a compression utility function used during deeplink parsing for SDK connections. This is a one-time operation during connection establishment, not a frequently executed path that would impact app performance. The change from inflate to streaming Inflate is primarily for security (preventing decompression bombs) rather than performance optimization. No performance-sensitive areas like UI rendering, list loading, or critical user flows are affected.

View GitHub Actions results

[ffmcgee725]

LGTM!