Skip to content

feat(transaction): add SecurityCheck component#2636

Open
lau90eth wants to merge 1 commit into
coinbase:mainfrom
lau90eth:feat/security-check-only
Open

feat(transaction): add SecurityCheck component#2636
lau90eth wants to merge 1 commit into
coinbase:mainfrom
lau90eth:feat/security-check-only

Conversation

@lau90eth

@lau90eth lau90eth commented May 1, 2026

Copy link
Copy Markdown

Summary

OnchainKit makes it easy to send transactions, but users have zero
visibility into what they're signing. Is the contract verified?
Is it a proxy?

This PR adds <SecurityCheck />, a component that automatically analyzes
contract security before the user signs — no configuration required.

<Transaction calls={calls}>
  <SecurityCheck />
  <TransactionButton />
</Transaction>

What changed

  • SecurityCheck component — reads contract addresses from
    TransactionContext, fetches verification data from Basescan API,
    and renders a security status banner before the user signs
  • Risk indicators:
    • ✅ Contract verified — source code confirmed on Basescan
    • ⚠️ Proxy contract — shows implementation address if available
    • 🔴 Contract not verified — high risk warning
  • Standalone implementation — no dependency on other open PRs.
    Fetches data directly from Basescan API internally.
  • Public export — added to src/transaction/index.ts

Usage

import { SecurityCheck } from '@coinbase/onchainkit/transaction';

// Drop-in before TransactionButton
<Transaction calls={calls}>
  <SecurityCheck />
  <TransactionButton />
</Transaction>

// With custom className
<SecurityCheck className="my-4" />

The component renders null when there are no calls or all checks pass
silently — zero impact on existing Transaction flows.


Notes to reviewers

  • Uses Basescan API. If apiKey is present in OnchainKitProvider,
    it is passed for higher rate limits. Works without a key for
    low-volume usage.
  • Reads calls from useTransactionContext — automatically works
    with any existing <Transaction /> usage
  • Renders null when no calls are present — zero impact on
    existing behavior
  • Follows the same styling patterns as existing transaction components
    (cn, text, border from theme)
  • Conservative by design: unverified = danger, proxy = warning

Testing

  • SecurityCheck.test.tsx — 5 tests
  • All 388 test files pass (2693 tests)

Test cases covered:

  • Loading state while fetching
  • Verified contract → safe status rendered
  • Unverified contract → danger status rendered
  • Proxy contract → warning with implementation address
  • Empty calls → renders null

Risk

Low. Additive component. Does not modify TransactionProvider,
TransactionButton, or any existing transaction logic.

Renders null by default when checks pass — invisible to users
unless a risk is detected.

Refs: #2637

Adds SecurityCheck component that analyzes contract security
before user signs a transaction.

- Reads contract addresses from Transaction context
- Fetches verification data from Basescan API
- Shows: verified, proxy, unverified status with risk indicators
- Standalone implementation — no dependency on other PRs
- 5 tests covering: loading, verified, unverified, proxy, empty state

Refs: coinbase#2572
@vercel

vercel Bot commented May 1, 2026

Copy link
Copy Markdown

@lau90eth is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

@cb-heimdall

cb-heimdall commented May 1, 2026

Copy link
Copy Markdown

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants