fix(tron): scope trc20-transfer event caip to the token contract

BitHighlander · claude · BitHighlander · commit 996309231718 · 2026-04-24T16:00:46.000-05:00
Review follow-up to the caip-match gate in #48: dApp TRC-20 events were still emitting caip: TRON_CAIP (tron:27Lqcw/slip44:195 — the native-TRX caip). The UI's ctx.caip === event.caip guard matched when the user had TRX selected in the side panel, leaking the TRX symbol/icon onto a USDT approval — exactly the failure the gate was supposed to block. Emit a token-scoped caip for trc20-transfer: tron:27Lqcw/token:${decoded.contractAddress} Now the fallback only fires when the side-panel happened to have this exact token selected. Any other selection (TRX, a different TRC-20, or an unrelated chain) leaves symbol/icon empty, which is the correct behavior — the handler still populates payment.decimals=0 so amounts render as raw base units. trx-transfer keeps TRON_CAIP (legitimate native TRX match desired). contract-call keeps TRON_CAIP too — its renderer owns its own labels (Contract:, Function:, "TRX sent:") with a hardcoded 'TRX' fallback on the call_value row, so the caip match affects only the avatar icon. Not worth the extra complexity. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/chrome-extension/src/background/chains/tronHandler.ts b/chrome-extension/src/background/chains/tronHandler.ts
@@ -603,8 +603,25 @@ export const handleTronRequest = async (
       // token display should teach decodeTronTx to look up decimals
       // from assetData or an on-chain call — not a fix for this PR.
       const decimals = decoded.kind === 'trc20-transfer' ? 0 : 6;
+      // For TRC-20 events, scope the caip to the specific token
+      // contract so the UI's ctx.caip-match gate only fires when the
+      // side-panel had THIS token selected. Otherwise a dApp USDT
+      // transfer with the user on the TRX asset page would match
+      // (both sides = tron:27Lqcw/slip44:195) and render with the TRX
+      // symbol/icon — the exact leak #48's gate was meant to block.
+      //
+      // Native TRX and generic contract-call stay on TRON_CAIP:
+      // trx-transfer is native TRX so matching the TRX context is
+      // correct; contract-call renders its own Contract/Function UI
+      // with a hardcoded 'TRX' fallback on the call_value row, so a
+      // partial caip-match can't leak the wrong symbol into anything
+      // user-facing.
+      const eventCaip =
+        decoded.kind === 'trc20-transfer' && decoded.contractAddress
+          ? `${TRON_NETWORK_ID}/token:${decoded.contractAddress}`
+          : TRON_CAIP;
       const event = buildEvent(requestInfo, 'transfer', params, {
-        caip: TRON_CAIP,
+        caip: eventCaip,
         from: sender,
         to: decoded.toAddress,
         amount: decoded.displayAmount,
