chore(runway): cherry-pick fix: cp-7.80.0 prevent send flow from submitting to zero address after clearing pasted recipient

[runway-github]

• fix: cp-7.80.0 prevent send flow from submitting to zero address after clearing pasted recipient (fix: cp-7.80.0 prevent send flow from submitting to zero address after clearing pasted recipient  #30771)

Description

When a user pastes an address in the send flow, an auto-review
useEffect is triggered to streamline the UX. If the "New address"
alert modal appears and the user cancels it, then presses the "Clear"
button, the pastedRecipient state was not being cleared. This caused a
race condition: handleClearInput would set to to empty, which caused
hasUnacknowledgedAlerts to become false (no alerts for empty
addresses), while pastedRecipient and toAddressValidated still held
the old address. The auto-review useEffect would then see all
conditions pass and fire handleSubmitPress with an empty to value,
which got cast to 0x0000...0000.

Fix:

1. Clear pastedRecipient in handleClearInput so the auto-review
   effect cannot re-trigger with stale state after clearing.
2. Add a defense-in-depth guard in proceedWithSubmit to reject empty
   recipient addresses.

Changelog

CHANGELOG entry: Fixed a bug where clearing a pasted recipient address
in the send flow could trigger a transaction to the zero address

Related issues

Fixes:

Manual testing steps

Feature: Send flow clear button

  Scenario: user clears pasted address after cancelling new address alert
    Given the user is on the send recipient screen

    When user pastes a valid address using the Paste button
    And user presses the Review button
    And the "New address" alert modal appears
    And user presses Cancel on the alert modal
    And user presses the Clear button
    Then the input field is cleared
    And no transaction is submitted
    And the user remains on the recipient screen

  Scenario: user clears pasted address without triggering review first
    Given the user is on the send recipient screen

    When user pastes a valid address using the Paste button
    And user presses the Clear button before auto-review triggers
    Then the input field is cleared
    And no transaction is submitted

Screenshots/Recordings

Before

Pressing Clear after cancelling the "New address" alert triggers a
transaction submission to 0x0000...0000.

After

Pressing Clear correctly resets the input without triggering any
transaction submission.

Pre-merge author checklist

• I've followed MetaMask Contributor
  Docs and MetaMask Mobile
  Coding
  Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format
  if applicable
• I've applied the right labels on the PR (see labeling
  guidelines).
  Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
• Use these power-user
  SRPs
  to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production
  performance metrics
• See trace() for usage and
  addToken
  for an example

For performance guidelines and tooling, see the Performance
Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the
  app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described
  in the ticket it closes and includes the necessary testing evidence such
  as recordings and or screenshots.

---

Note

Medium Risk
Changes send submission guards and recipient state on a user-facing
money path; scope is small and covered by tests, but incorrect gating
could block valid sends or miss edge cases.

Overview
Fixes a send-flow bug where Clear after canceling the "New
address" alert could still auto-advance review because
pastedRecipient stayed set while to was emptied.

RecipientInput now resets pastedRecipient in
handleClearInput (along with updateTo('')) so the paste
auto-review useEffect cannot re-fire on stale paste state.
Recipient proceedWithSubmit also bails out when there is no
resolvedAddress or to, blocking submission with an empty
recipient (e.g. zero address). Tests cover clear + empty-recipient
paths.

^{Reviewed by Cursor Bugbot for commit
636fbc9. Bugbot is set up for automated
code reviews on this repo. Configure
here.}

[13349a0](https://github.com/MetaMask/metamask-mobile/commit/13349a0c8c223a6d4c28b3f0f222d978f5a7dd9a)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release/7.80.0@b077de5). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
...firmations/components/send/recipient/recipient.tsx	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             release/7.80.0   #30844   +/-   ##
=================================================
  Coverage                  ?   82.69%           
=================================================
  Files                     ?     5540           
  Lines                     ?   141879           
  Branches                  ?    32713           
=================================================
  Hits                      ?   117329           
  Misses                    ?    16723           
  Partials                  ?     7827           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - PR targets a release or stable branch (release/* or stable)

All E2E tests pre-selected.

View GitHub Actions results