chore: add blockaid filter logic for spl tokens #7923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

sahar-fehri merged 13 commits into main from fix/add-blockaid-filter-for-spl-tokens

Feb 16, 2026

packages/assets-controllers/CHANGELOG.md

-Original file line number
+Diff line change
@@ Expand Up @@
     ### Added
+    - **BREAKING:** `MultichainAssetsControllerMessenger` now requires the `PhishingController:bulkScanTokens` action to be allowed ([#7923](https://github.com/MetaMask/core/pull/7923))
+      - Consumers constructing the messenger must include this action in the allowed actions list
+    - Add Blockaid token security scanning to `MultichainAssetsController` to filter out spam, malicious, and warning tokens during automatic asset detection ([#7923](https://github.com/MetaMask/core/pull/7923))
+      - Tokens with `assetNamespace` of "token" (e.g. SPL tokens) are scanned via the `PhishingController:bulkScanTokens` messenger action
+      - Only tokens with a `Benign` result are kept; native assets (e.g. `slip44`) are not scanned
+      - The filter fails open: if the scan is unreachable or returns an error, all tokens are kept
+      - Filtering applies to account-added and asset-list-updated events; `addAssets` (curated list) is not filtered
+      - Token addresses are batched into groups of 100 to stay within the `bulkScanTokens` per-request limit
     - `CodefiTokenPricesServiceV2` now supports fetching prices of ETH on Ink Mainnet (chain `0xdef1`) ([#7688](https://github.com/MetaMask/core/pull/7688))
     ## [99.3.2]
@@ Expand Down @@

Provide feedback