chore(runway): cherry-pick fix: Aggregator guard on perps banner in detail screen cp-7.63.0 (#25203)

runway-github[bot] · gambinish · web-flow · commit 15bb9c1b3a6a · 2026-01-26T18:00:02.000Z
- fix: Aggregator guard on perps banner in detail screen cp-7.63.0 (#25078) ## **Description** **Summary** Adds token trust validation to the Perps Discovery Banner to prevent it from appearing on potentially malicious tokens. **Problem:** The Perps banner was showing based solely on symbol matching (e.g., "SOL"), which caused it to appear on fake tokens with matching symbols. This inadvertently lends credibility to scam tokens. Meaning, a user could open a Perps position from a scam token with the same symbol as a supported Perp (see recording **Solution:** Only show the Perps banner for tokens that are either: - Native tokens (ETH, BNB, SOL, etc.) - Tokens listed on at least 2 aggregators/exchanges (indicates legitimacy) **Changes** - Added `PERPS_MIN_AGGREGATORS_FOR_TRUST` constant to `perpsConfig.ts` - Added isTokenTrustworthy check in AssetOverview.tsx - Added isTokenTrustworthy check in AssetDetails/index.tsx **Future Improvement** **Blockaid Integration:** We could trigger a Blockaid scan via `PhishingController.scanAddress()` when viewing an asset and use the `tokenScanCache` result to determine if the token is malicious. However, this approach was deferred because: - Adds network latency on every asset view - Increases API resource consumption - Requires async handling and loading states for the banner The aggregators-based approach provides an immediate guard with no additional API calls, covering the majority of scam token cases. Blockaid integration could be added as a future enhancement for more comprehensive protection. So, there is still an edge case where scam tokens can game the aggregators and bypass the aggregator guard. Blockaid check would solve this edge case. ## **Changelog** CHANGELOG entry: Add aggregator guard to token detail PerpsBanner ## **Related issues** Fixes: ## **Manual testing steps**  ```gherkin Feature: Perps Discovery Banner Token Trust Validation As a user viewing token details I want the Perps trading banner to only appear for legitimate tokens So that I am not misled into thinking a scam token is associated with a real Perps market Background: Given I am logged into MetaMask Mobile And the Perps feature flag is enabled And I am on a network that supports Perps trading Scenario: Banner appears for native tokens with matching Perps market Given I navigate to the Asset Overview for native ETH And a Perps market exists for "ETH" Then I should see the Perps Discovery Banner And the banner should display the ETH market leverage Scenario: Banner appears for tokens listed on multiple exchanges Given I navigate to the Asset Overview for LINK token And LINK has 3 aggregators in its token metadata And a Perps market exists for "LINK" Then I should see the Perps Discovery Banner Scenario: Banner does NOT appear for tokens with insufficient aggregators Given I navigate to the Asset Overview for a token with symbol "SOL" And the token has 0 aggregators in its metadata And the token is not a native token And a Perps market exists for "SOL" Then I should NOT see the Perps Discovery Banner Scenario: Banner does NOT appear for fake tokens mimicking native symbols Given I navigate to the Asset Overview for a fake "SOL" token on Ethereum And the token contract address does not match the real SOL token And the token has fewer than 2 aggregators Then I should NOT see the Perps Discovery Banner Even though a Perps market exists for "SOL" Scenario: Banner navigation works correctly for trusted tokens Given I navigate to the Asset Overview for native BTC And a Perps market exists for "BTC" And I see the Perps Discovery Banner When I tap on the Perps Discovery Banner Then I should be navigated to the BTC Perps Market Details screen ``` ## **Screenshots/Recordings** Before: https://github.com/user-attachments/assets/97a0f6ab-ab03-4798-a5c8-bfb40734049c After: https://github.com/user-attachments/assets/54e75499-84e7-4c9e-9b7f-3a392104bfa8 ## **Pre-merge author checklist**  - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist**  - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > Adds a token trust guard for the Perps Discovery Banner to avoid showing it on untrusted tokens. > > - Introduces `PERPS_MIN_AGGREGATORS_FOR_TRUST` and `isTokenTrustworthyForPerps` in `perpsConfig` > - Gates `PerpsDiscoveryBanner` in `AssetOverview` and `AssetDetails` on `isTokenTrustworthy` in addition to existing perps market checks > - Adds comprehensive tests for trust logic and banner rendering conditions (`perpsConfig.test.ts`, `AssetOverview.test.tsx`) > - Minor: `Balance` now passes the full `asset` in navigation params when opening `AssetDetails` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1ae8cdd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  [a4a0d88](a4a0d88) Co-authored-by: Nick Gambino <35090461+gambinish@users.noreply.github.com>
diff --git a/app/components/UI/AssetOverview/AssetOverview.test.tsx b/app/components/UI/AssetOverview/AssetOverview.test.tsx
@@ -313,6 +313,17 @@ jest.mock('../../Views/confirmations/hooks/useSendNavigation', () => ({
   useSendNavigation: jest.fn(),
 }));
 
+// Perps Discovery Banner mocks
+const mockUsePerpsMarketForAsset = jest.fn();
+jest.mock('../Perps/hooks/usePerpsMarketForAsset', () => ({
+  usePerpsMarketForAsset: () => mockUsePerpsMarketForAsset(),
+}));
+
+const mockSelectPerpsEnabledFlag = jest.fn();
+jest.mock('../Perps', () => ({
+  selectPerpsEnabledFlag: () => mockSelectPerpsEnabledFlag(),
+}));
+
 const asset = {
   balance: '400',
   balanceFiat: '1500',
@@ -401,6 +412,13 @@ describe('AssetOverview', () => {
         mockNavigate('Send', params);
       }),
     });
+
+    // Default Perps mock - disabled and no market exists (banner won't show)
+    mockSelectPerpsEnabledFlag.mockReturnValue(false);
+    mockUsePerpsMarketForAsset.mockReturnValue({
+      hasPerpsMarket: false,
+      marketData: null,
+    });
   });
 
   afterEach(() => {
@@ -1851,6 +1869,139 @@ describe('AssetOverview', () => {
       );
     });
   });
+
+  describe('Perps Discovery Banner Token Trust Validation', () => {
+    const mockMarketData = {
+      symbol: 'ETH',
+      maxLeverage: 50,
+    };
+
+    beforeEach(() => {
+      // Reset Perps mocks before each test
+      mockSelectPerpsEnabledFlag.mockReset();
+      mockUsePerpsMarketForAsset.mockReset();
+    });
+
+    it('does NOT render Perps banner for token with insufficient aggregators', () => {
+      // Mock: Perps enabled and market exists
+      mockSelectPerpsEnabledFlag.mockReturnValue(true);
+      mockUsePerpsMarketForAsset.mockReturnValue({
+        hasPerpsMarket: true,
+        marketData: mockMarketData,
+      });
+
+      const tokenWithNoAggregators = {
+        ...asset,
+        aggregators: [], // No aggregators - not trustworthy
+        isETH: false,
+        isNative: false,
+      };
+
+      const { queryByTestId } = renderWithProvider(
+        <AssetOverview asset={tokenWithNoAggregators} />,
+        { state: mockInitialState },
+      );
+
+      // Banner NOT rendered
+      expect(queryByTestId('perps-discovery-banner')).toBeNull();
+    });
+
+    it('renders Perps banner for native token regardless of aggregators', () => {
+      // Mock: Perps enabled and market exists
+      mockSelectPerpsEnabledFlag.mockReturnValue(true);
+      mockUsePerpsMarketForAsset.mockReturnValue({
+        hasPerpsMarket: true,
+        marketData: mockMarketData,
+      });
+
+      const nativeToken = {
+        ...asset,
+        aggregators: [], // No aggregators, but native token is always trusted
+        isNative: true,
+        isETH: false,
+      };
+
+      const { getByTestId } = renderWithProvider(
+        <AssetOverview asset={nativeToken} />,
+        { state: mockInitialState },
+      );
+
+      // Banner rendered for native tokens
+      expect(getByTestId('perps-discovery-banner')).toBeOnTheScreen();
+    });
+
+    it('renders Perps banner for ETH token regardless of aggregators', () => {
+      // Mock: Perps enabled and market exists
+      mockSelectPerpsEnabledFlag.mockReturnValue(true);
+      mockUsePerpsMarketForAsset.mockReturnValue({
+        hasPerpsMarket: true,
+        marketData: mockMarketData,
+      });
+
+      const ethToken = {
+        ...asset,
+        aggregators: [], // No aggregators, but ETH is always trusted
+        isETH: true,
+        isNative: false,
+      };
+
+      const { getByTestId } = renderWithProvider(
+        <AssetOverview asset={ethToken} />,
+        { state: mockInitialState },
+      );
+
+      // Banner rendered for ETH tokens
+      expect(getByTestId('perps-discovery-banner')).toBeOnTheScreen();
+    });
+
+    it('renders Perps banner for token with sufficient aggregators', () => {
+      // Mock: Perps enabled and market exists
+      mockSelectPerpsEnabledFlag.mockReturnValue(true);
+      mockUsePerpsMarketForAsset.mockReturnValue({
+        hasPerpsMarket: true,
+        marketData: mockMarketData,
+      });
+
+      const tokenWithAggregators = {
+        ...asset,
+        aggregators: ['CoinGecko', 'CoinMarketCap'], // 2 aggregators - trustworthy
+        isETH: false,
+        isNative: false,
+      };
+
+      const { getByTestId } = renderWithProvider(
+        <AssetOverview asset={tokenWithAggregators} />,
+        { state: mockInitialState },
+      );
+
+      // Banner rendered for tokens with sufficient aggregators
+      expect(getByTestId('perps-discovery-banner')).toBeOnTheScreen();
+    });
+
+    it('does NOT render Perps banner for token with only 1 aggregator', () => {
+      // Mock: Perps enabled and market exists
+      mockSelectPerpsEnabledFlag.mockReturnValue(true);
+      mockUsePerpsMarketForAsset.mockReturnValue({
+        hasPerpsMarket: true,
+        marketData: mockMarketData,
+      });
+
+      const tokenWithOneAggregator = {
+        ...asset,
+        aggregators: ['CoinGecko'], // Only 1 aggregator - not enough
+        isETH: false,
+        isNative: false,
+      };
+
+      const { queryByTestId } = renderWithProvider(
+        <AssetOverview asset={tokenWithOneAggregator} />,
+        { state: mockInitialState },
+      );
+
+      // Banner NOT rendered - 1 aggregator is not enough
+      expect(queryByTestId('perps-discovery-banner')).toBeNull();
+    });
+  });
 });
 
 describe('getSwapTokens', () => {
diff --git a/app/components/UI/AssetOverview/AssetOverview.tsx b/app/components/UI/AssetOverview/AssetOverview.tsx
@@ -114,6 +114,7 @@ import { selectPerpsEnabledFlag } from '../Perps';
 import { usePerpsMarketForAsset } from '../Perps/hooks/usePerpsMarketForAsset';
 import PerpsDiscoveryBanner from '../Perps/components/PerpsDiscoveryBanner';
 import { PerpsEventValues } from '../Perps/constants/eventNames';
+import { isTokenTrustworthyForPerps } from '../Perps/constants/perpsConfig';
 import DSText, {
   TextVariant,
 } from '../../../component-library/components/Texts/Text';
@@ -312,6 +313,9 @@ const AssetOverview: React.FC<AssetOverviewProps> = ({
     isPerpsEnabled ? asset.symbol : null,
   );
 
+  // Check if token is trustworthy for showing Perps banner
+  const isTokenTrustworthy = isTokenTrustworthyForPerps(asset);
+
   const { styles } = useStyles(styleSheet, {});
   const dispatch = useDispatch();
 
@@ -857,21 +861,24 @@ const AssetOverview: React.FC<AssetOverviewProps> = ({
               <MerklRewards asset={asset} />
             </View>
           )}
-          {isPerpsEnabled && hasPerpsMarket && marketData && (
-            <>
-              <View style={styles.perpsPositionHeader}>
-                <DSText variant={TextVariant.HeadingMD}>
-                  {strings('asset_overview.perps_position')}
-                </DSText>
-              </View>
-              <PerpsDiscoveryBanner
-                symbol={marketData.symbol}
-                maxLeverage={marketData.maxLeverage}
-                onPress={handlePerpsDiscoveryPress}
-                testID="perps-discovery-banner"
-              />
-            </>
-          )}
+          {isPerpsEnabled &&
+            hasPerpsMarket &&
+            marketData &&
+            isTokenTrustworthy && (
+              <>
+                <View style={styles.perpsPositionHeader}>
+                  <DSText variant={TextVariant.HeadingMD}>
+                    {strings('asset_overview.perps_position')}
+                  </DSText>
+                </View>
+                <PerpsDiscoveryBanner
+                  symbol={marketData.symbol}
+                  maxLeverage={marketData.maxLeverage}
+                  onPress={handlePerpsDiscoveryPress}
+                  testID="perps-discovery-banner"
+                />
+              </>
+            )}
           <View style={styles.tokenDetailsWrapper}>
             <TokenDetails asset={asset} />
           </View>
diff --git a/app/components/UI/AssetOverview/Balance/Balance.tsx b/app/components/UI/AssetOverview/Balance/Balance.tsx
@@ -202,8 +202,9 @@ const Balance = ({
       navigation.navigate('AssetDetails', {
         chainId: asset.chainId,
         address: asset.address,
+        asset,
       }),
-    [asset.address, asset.chainId, asset.isNative, navigation],
+    [asset, navigation],
   );
 
   const label = asset.accountType
diff --git a/app/components/UI/Perps/constants/perpsConfig.test.ts b/app/components/UI/Perps/constants/perpsConfig.test.ts
@@ -0,0 +1,115 @@
+import {
+  PERPS_MIN_AGGREGATORS_FOR_TRUST,
+  isTokenTrustworthyForPerps,
+} from './perpsConfig';
+
+describe('isTokenTrustworthyForPerps', () => {
+  describe('native assets', () => {
+    it('returns true for native asset (isNative: true)', () => {
+      const asset = {
+        isNative: true,
+        isETH: false,
+        aggregators: [],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+
+    it('returns true for ETH asset (isETH: true)', () => {
+      const asset = {
+        isNative: false,
+        isETH: true,
+        aggregators: [],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+
+    it('returns true for native asset even with no aggregators', () => {
+      const asset = {
+        isNative: true,
+        aggregators: [],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+  });
+
+  describe('non-native assets with aggregators', () => {
+    it('returns true when aggregators count equals minimum threshold', () => {
+      const asset = {
+        isNative: false,
+        isETH: false,
+        aggregators: Array(PERPS_MIN_AGGREGATORS_FOR_TRUST).fill('exchange'),
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+
+    it('returns true when aggregators count exceeds minimum threshold', () => {
+      const asset = {
+        isNative: false,
+        isETH: false,
+        aggregators: ['CoinGecko', 'CoinMarketCap', 'Uniswap'],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+
+    it('returns false when aggregators count is below minimum threshold', () => {
+      const asset = {
+        isNative: false,
+        isETH: false,
+        aggregators: ['CoinGecko'], // Only 1
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(false);
+    });
+
+    it('returns false when aggregators is empty', () => {
+      const asset = {
+        isNative: false,
+        isETH: false,
+        aggregators: [],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(false);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('handles undefined aggregators', () => {
+      const asset = {
+        isNative: false,
+        isETH: false,
+        aggregators: undefined,
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(false);
+    });
+
+    it('handles missing properties', () => {
+      const asset = {};
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(false);
+    });
+
+    it('handles asset with only aggregators property', () => {
+      const asset = {
+        aggregators: ['CoinGecko', 'CoinMarketCap'],
+      };
+
+      expect(isTokenTrustworthyForPerps(asset)).toBe(true);
+    });
+  });
+});
+
+describe('PERPS_MIN_AGGREGATORS_FOR_TRUST', () => {
+  it('is defined and is a number', () => {
+    expect(typeof PERPS_MIN_AGGREGATORS_FOR_TRUST).toBe('number');
+  });
+
+  it('equals 2', () => {
+    expect(PERPS_MIN_AGGREGATORS_FOR_TRUST).toBe(2);
+  });
+});
diff --git a/app/components/UI/Perps/constants/perpsConfig.ts b/app/components/UI/Perps/constants/perpsConfig.ts
@@ -1,3 +1,5 @@
+import { TokenI } from '../../Tokens/types';
+
 /**
  * Perps feature constants
  */
@@ -64,6 +66,29 @@ export const METAMASK_FEE_CONFIG = {
   // which returns complete fee breakdown including MetaMask fees
 } as const;
 
+/**
+ * Minimum number of aggregators (exchanges) a token must be listed on
+ * to be considered trustworthy for showing the Perps Discovery Banner.
+ * Native tokens (ETH, BNB, etc.) bypass this check.
+ */
+export const PERPS_MIN_AGGREGATORS_FOR_TRUST = 2;
+
+/**
+ * Checks if an asset is trustworthy for displaying the Perps Discovery Banner.
+ * An asset is considered trustworthy if:
+ * - It is a native asset (ETH, BNB, SOL, etc.), OR
+ * - It is listed on at least PERPS_MIN_AGGREGATORS_FOR_TRUST exchanges
+ *
+ * @param asset - Asset object (TokenI or partial TokenI)
+ * @returns true if the asset is trustworthy, false otherwise
+ */
+export const isTokenTrustworthyForPerps = (asset: Partial<TokenI>): boolean => {
+  const isNativeAsset = asset.isNative || asset.isETH;
+  const hasEnoughAggregators =
+    (asset.aggregators?.length ?? 0) >= PERPS_MIN_AGGREGATORS_FOR_TRUST;
+  return isNativeAsset || hasEnoughAggregators;
+};
+
 /**
  * Validation thresholds for UI warnings and checks
  * These values control when warnings are shown to users
diff --git a/app/components/Views/AssetDetails/index.tsx b/app/components/Views/AssetDetails/index.tsx
