[Vulnerability 005] - fix: solve Cached ENS Lookup in UI

Author: lucasgabrielgsp

source/pages/Home/Panel/components/Transactions/EVM/EvmDetailsEnhanced.tsx

@@ -14,7 +14,10 @@ import { useTransactionsListConfig, useUtils } from 'hooks/index';
 import { useController } from 'hooks/useController';
 import type { IEvmTransactionResponse } from 'scripts/Background/controllers/transactions/types';
 import { RootState } from 'state/store';
-import { selectActiveAccount } from 'state/vault/selectors';
+import {
+  selectActiveAccount,
+  selectValidEnsCache,
+} from 'state/vault/selectors';
 import { IDecodedTx } from 'types/transactions';
 import { formatMethodName } from 'utils/commonMethodSignatures';
 import { camelCaseToText } from 'utils/index';
@@ -37,9 +40,8 @@ export const EvmTransactionDetailsEnhanced = ({
   tx: IEvmTransactionResponse;
 }) => {
   const { controllerEmitter } = useController();
-  const ensCache = useSelector(
-    (state: RootState) => state.vaultGlobal.ensCache
-  );
+  // Use valid (non-expired) ENS cache for security
+  const ensCache = useSelector(selectValidEnsCache);
   const {
     activeNetwork: { chainId, currency, apiUrl },
   } = useSelector((state: RootState) => state.vault);

source/pages/Send/Confirm.tsx

@@ -25,7 +25,10 @@ import { useUtils, usePrice } from 'hooks/index';
 import { useController } from 'hooks/useController';
 import { useEIP1559 } from 'hooks/useEIP1559';
 import { RootState } from 'state/store';
-import { selectEnsNameToAddress } from 'state/vault/selectors';
+import {
+  selectEnsNameToAddress,
+  selectValidEnsCache,
+} from 'state/vault/selectors';
 import { INetworkType } from 'types/network';
 import { handleTransactionError } from 'utils/errorHandling';
 import { formatGweiValue } from 'utils/formatSyscoinValue';
@@ -61,9 +64,8 @@ export const SendConfirm = () => {
   );
   const { fiat } = useSelector((state: RootState) => state.price);
   const activeAccount = accounts[activeAccountMeta.type][activeAccountMeta.id];
-  const ensCache = useSelector(
-    (state: RootState) => state.vaultGlobal.ensCache
-  );
+  // Use valid (non-expired) ENS cache for security
+  const ensCache = useSelector(selectValidEnsCache);
   // when using the default routing, state will have the tx data
   // when using createPopup (DApps), the data comes from route params
   const location = useLocation();

source/pages/Send/SendEth.tsx

@@ -21,8 +21,11 @@ import { useUtils } from 'hooks/index';
 import { useAdjustedExplorer } from 'hooks/useAdjustedExplorer';
 import { useController } from 'hooks/useController';
 import { RootState } from 'state/store';
-import { selectEnsNameToAddress } from 'state/vault/selectors';
-import { selectActiveAccountWithAssets } from 'state/vault/selectors';
+import {
+  selectEnsNameToAddress,
+  selectActiveAccountWithAssets,
+  selectValidEnsCache,
+} from 'state/vault/selectors';
 import { ITokenEthProps } from 'types/tokens';
 import {
   getAssetBalance,
@@ -106,9 +109,8 @@ export const SendEth = () => {
   >([]);
 
   const accounts = useSelector((state: RootState) => state.vault.accounts);
-  const ensCache = useSelector(
-    (state: RootState) => state.vaultGlobal.ensCache
-  );
+  // Use valid (non-expired) ENS cache for security
+  const ensCache = useSelector(selectValidEnsCache);
   const ensNameToAddress = useSelector(selectEnsNameToAddress);
   const vaultActiveAccount = useSelector(
     (state: RootState) => state.vault.activeAccount

source/pages/Send/components/TransactionDetails.tsx

@@ -12,6 +12,7 @@ import { Tooltip } from 'components/Tooltip';
 import { useController } from 'hooks/useController';
 import { useUtils } from 'hooks/useUtils';
 import { RootState } from 'state/store';
+import { selectValidEnsCache } from 'state/vault/selectors';
 import { IBlacklistCheckResult } from 'types/security';
 import {
   ICustomFeeParams,
@@ -64,7 +65,8 @@ export const TransactionDetailsComponent = (
     (state: RootState) => state.vault.activeNetwork
   );
   // Prefer rendering ENS name when available in cache for destination
-  const ensCache = useReduxSelector((s: RootState) => s.vaultGlobal.ensCache);
+  // Use valid (non-expired) ENS cache for security
+  const ensCache = useReduxSelector(selectValidEnsCache);
 
   // Helper function to get appropriate copy message based on field type
   const getCopyMessage = (fieldType: 'address' | 'hash' | 'other') => {

source/state/vault/selectors.ts

@@ -1,6 +1,7 @@
 import { createSelector } from '@reduxjs/toolkit';
 
 import { RootState } from 'state/store';
+import { ENS_CACHE_TTL_MS } from 'state/vaultGlobal';
 
 import { IAccountAssets, IAccountTransactions } from './types';
 
@@ -85,17 +86,50 @@ export const selectActiveAccountAndVaultData = createSelector(
   (account, assets, vaultData) => ({ account, assets, ...vaultData })
 );
 
-// ENS selectors
+// ENS selectors with TTL expiration support
 export const selectEnsCache = (state: RootState) => state.vaultGlobal.ensCache;
 
-// Derived map: nameLower -> addressLower, built once and memoized
-export const selectEnsNameToAddress = createSelector(
+/**
+ * Helper to check if an ENS cache entry is still valid (not expired)
+ * @param entry - The cache entry with timestamp
+ * @param now - Current timestamp (defaults to Date.now())
+ * @returns true if the entry is still valid
+ */
+export const isEnsCacheEntryValid = (
+  entry: { name: string; timestamp: number },
+  now: number = Date.now()
+): boolean => now - entry.timestamp < ENS_CACHE_TTL_MS;
+
+/**
+ * Selector that returns only non-expired ENS cache entries
+ * This ensures stale ENS lookups are not used for security
+ */
+export const selectValidEnsCache = createSelector(
   [selectEnsCache],
   (ensCache) => {
+    if (!ensCache) return {};
+    const now = Date.now();
+    const validCache: typeof ensCache = {};
+
+    for (const [addrLower, entry] of Object.entries(ensCache)) {
+      if (isEnsCacheEntryValid(entry, now)) {
+        validCache[addrLower] = entry;
+      }
+    }
+
+    return validCache;
+  }
+);
+
+// Derived map: nameLower -> addressLower, built once and memoized
+// Only includes non-expired entries for security
+export const selectEnsNameToAddress = createSelector(
+  [selectValidEnsCache],
+  (validEnsCache) => {
     const map: Record<string, string> = {};
-    if (!ensCache) return map;
+    if (!validEnsCache) return map;
     try {
-      for (const [addrLower, v] of Object.entries(ensCache as any)) {
+      for (const [addrLower, v] of Object.entries(validEnsCache as any)) {
         const nameLower = String((v as any)?.name || '').toLowerCase();
         if (nameLower) map[nameLower] = addrLower;
       }

source/state/vaultGlobal/index.ts

@@ -4,6 +4,10 @@ import { IGlobalState } from '../vault/types';
 import { INetwork, INetworkType } from 'types/network';
 import { PALI_NETWORKS_STATE } from 'utils/constants';
 
+// ENS cache TTL: 5 minutes (300,000 ms)
+// ENS names can change, so we don't cache them indefinitely for security
+export const ENS_CACHE_TTL_MS = 5 * 60 * 1000;
+
 const initialState: IGlobalState = {
   activeSlip44: null,
   advancedSettings: {
@@ -122,10 +126,42 @@ const vaultGlobalSlice = createSlice({
     ) {
       if (!state.ensCache) state.ensCache = {};
       const addressLower = action.payload.address.toLowerCase();
-      state.ensCache[addressLower] = {
+      const now = Date.now();
+
+      // Clean up expired entries while adding new one (opportunistic cleanup)
+      const cleanedCache: typeof state.ensCache = {};
+      for (const [addr, entry] of Object.entries(state.ensCache)) {
+        if (now - entry.timestamp < ENS_CACHE_TTL_MS) {
+          cleanedCache[addr] = entry;
+        }
+      }
+
+      // Add the new entry
+      cleanedCache[addressLower] = {
         name: action.payload.name,
-        timestamp: Date.now(),
+        timestamp: now,
       };
+
+      state.ensCache = cleanedCache;
+    },
+    clearExpiredEnsCache(state: IGlobalState) {
+      // Clear all expired ENS cache entries
+      if (!state.ensCache) return;
+
+      const now = Date.now();
+      const cleanedCache: typeof state.ensCache = {};
+
+      for (const [addr, entry] of Object.entries(state.ensCache)) {
+        if (now - entry.timestamp < ENS_CACHE_TTL_MS) {
+          cleanedCache[addr] = entry;
+        }
+      }
+
+      state.ensCache = cleanedCache;
+    },
+    clearAllEnsCache(state: IGlobalState) {
+      // Clear the entire ENS cache (useful for security-sensitive operations)
+      state.ensCache = {};
     },
     setIsSwitchingAccount(state: IGlobalState, action: PayloadAction<boolean>) {
       state.isSwitchingAccount = action.payload;
@@ -332,6 +368,8 @@ export const {
   resetNetworkQualityForNewNetwork,
   setPostNetworkSwitchLoading,
   setEnsName,
+  clearExpiredEnsCache,
+  clearAllEnsCache,
 } = vaultGlobalSlice.actions;
 
 export default vaultGlobalSlice.reducer;