fix: max mUSD conversion displays wrong value

[matthewwalsh0]

Description

Fixes the max mUSD conversion showing an inflated receive amount. Relay previously charged a fee and reimbursed it on the destination side; they have since stopped charging the fee, so our compensating adjustment now over-reports the received value.

Bumps @metamask/transaction-pay-controller from ^19.1.1 to ^19.2.1, which stops double-counting the subsidised fee in Relay quote target amounts, and patches the installed package to rename the Relay gasless feature flag from executeEnabled to gaslessEnabled so older, known-broken versions cannot be re-enabled by the flag (which predates per-version gating).

Changelog

CHANGELOG entry: Fixed max mUSD conversion displaying an inflated receive amount.

Related issues

Fixes: #29173

Manual testing steps

Feature: Max mUSD conversion displays correct value

  Scenario: user converts max USDC to mUSD
    Given a 7.74 build with this patch installed
    And the user holds some USDC
    When the user taps max on the mUSD conversion screen
    Then the displayed mUSD receive amount matches the USDC balance (no inflation)

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Updates core transaction/pay controller dependencies and applies a patch that changes which remote feature flag enables Relay gasless execution, which could affect pay/quote flows if flag configuration or dependency behavior differs from expectations.

Overview
Fixes an inflated “max” conversion receive amount by bumping @metamask/transaction-pay-controller to ^19.2.1 (and aligning related controller versions via yarn.lock/resolutions).

Adds a patch to @metamask/transaction-pay-controller that switches the Relay enablement check from confirmations_pay.payStrategies.relay.executeEnabled to ...relay.gaslessEnabled, preventing older broken builds from being re-enabled by the previous flag name.

Separately removes the locally-defined MANTLE entry from NETWORK_CHAIN_ID in customNetworks.tsx (relying on CHAIN_IDS for it instead).

^{Reviewed by Cursor Bugbot for commit 67e50b9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​metamask/​account-tree-controller@​7.0.0 ⏵ 7.1.0			+1
	npm/​@​metamask/​bridge-controller@​70.0.1 ⏵ 70.1.1			+1
	npm/​@​metamask/​transaction-pay-controller@​19.1.1 ⏵ 19.2.1	+1		+1	+1
	npm/​@​metamask/​transaction-controller@​64.2.0 ⏵ 64.3.0	+4		+1	+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @metamask/transaction-controller is 75.0% likely to have a medium risk anomaly Notes: The code performs straightforward signature verification using ethers.js, returning true when the recovered signer matches the provided publicKey. While generally safe, the silent catch and potential mismatch between data formatting and signing process should be addressed to avoid silent failures. Overall, a benign utility with moderate input-format sensitivity. Confidence: 0.75 Severity: 0.50 From: package.json → npm/@metamask/transaction-controller@64.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/transaction-controller@64.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - PR targets a release branch (release/*)

All E2E tests pre-selected.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[chloeYue]

LGTM

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
12 value mismatches detected (expected — fixture represents an existing user).
View details