fix: validate type of security data in token details and fetch when necessary cp-7.76.0

[sahar-fehri]

Description

Bug

When navigating from the Swap/Bridge "Select token" screen to Token Details via the (i) icon, security info (badge, SecurityTrustEntryCard, warning banners) is missing.

Root Cause

The Bridge /getTokens/popular API returns security data in a different shape ({ type: "Verified" }) than what Token Details expects ({ resultType: "Verified", features: [...], ... }). When navigating, the entire token object — including this wrong-shaped securityData — is spread into route params. useTokenSecurityData sees it as truthy prefetched data, skips its own API call, and the UI reads resultType / features → undefined → nothing renders.

Fix

Added a runtime type guard in useTokenSecurityData that validates prefetchedData has the required resultType (string) and features (array) before trusting it. If the shape is invalid, the hook falls through to fetchTokenAssets() and gets the full, correctly-shaped data.

Changelog

CHANGELOG entry: Fixed security badges and trust info now display correctly on Token Details when navigating from the Swap token selector.

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

Screen.Recording.2026-05-06.at.14.34.01.mov

After

Screen.Recording.2026-05-06.at.14.32.27.mov

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk: adds a small runtime type guard and a focused test to ensure useTokenSecurityData falls back to fetching when prefetched security data is malformed.

Overview
Fixes Token Details security UI missing when navigating from Swap/Bridge by validating prefetchedData at runtime in useTokenSecurityData (requires resultType string and features array) and treating invalid shapes as absent so the hook fetches via fetchTokenAssets.

Adds a regression test covering the Bridge-style wrong-shaped data to ensure the hook ignores it and fetches correct security data instead.

^{Reviewed by Cursor Bugbot for commit 2e9c4c8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 95%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are limited to two files: useTokenSecurityData.ts (the hook implementation) and its test file. The fix adds a isValidTokenSecurityData validation guard to handle cases where prefetchedData has an incorrect shape (e.g., Bridge SecurityData { type: "Verified" } vs expected { resultType: string, features: array[] }). When invalid data is detected, the hook falls back to fetching fresh data.

This is a pure unit-level bug fix:

1. Only one consumer exists: TokenDetails.tsx (a detail view component)
2. No E2E test suite covers token security data validation specifically
3. The fix is defensive/additive - it improves robustness without changing the happy path
4. No core flows (swap, send, confirmations, accounts, network) are affected
5. The change is fully covered by the new unit test added in the same PR

No E2E tags are warranted for this isolated hook fix.

Performance Test Selection:
The change adds a simple validation check (isValidTokenSecurityData) that runs once when the hook initializes. This has negligible performance impact - it's a few property type checks on an object. No performance tests are needed.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud