Validate all Send Addresses against stellar.expert's list of malicious/unsafe addresses

package.json

@@ -42,6 +42,10 @@
     "trezor-connect": "^8.1.16",
     "typescript": "~4.0.5"
   },
+  "resolutions": {
+    "**/@typescript-eslint/eslint-plugin": "^4.1.1",
+    "**/@typescript-eslint/parser": "^4.1.1"
+  },
   "scripts": {
     "install-if-package-changed": "git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD | grep --quiet yarn.lock && yarn install || exit 0",
     "start": "react-scripts start",

src/components/SendTransaction/CreateTransaction.tsx

@@ -21,6 +21,7 @@ import { getNetworkConfig } from "helpers/getNetworkConfig";
 import { lumensFromStroops } from "helpers/stroopConversion";
 import { logEvent } from "helpers/tracking";
 import { useRedux } from "hooks/useRedux";
+import { useFlaggedAccounts } from "hooks/useUnsafeAccounts";
 import {
   ActionStatus,
   NetworkCongestion,
@@ -147,6 +148,9 @@ export const CreateTransaction = ({
     initialFormData.isAccountFunded,
   );
 
+  const [isAccountUnsafe, setIsAccountUnsafe] = useState(false);
+  const [isAccountMalicious, setIsisAccountMalicious] = useState(false);
+
   const knownAccount =
     knownAccounts[toAccountId] || knownAccounts[federationAddress || ""];
   const [prevAddress, setPrevAddress] = useState(
@@ -251,6 +255,19 @@ export const CreateTransaction = ({
     }
   };
 
+  const { flaggedAccounts } = useFlaggedAccounts();
+
+  const checkIfAccountIsFlagged = (accountId: string) => {
+    const flaggedAccountData = flaggedAccounts.find(
+      ({ address }: { address: string }) => address === accountId,
+    );
+    if (flaggedAccountData?.tags) {
+      const { tags } = flaggedAccountData;
+      setIsAccountUnsafe(tags.includes("unsafe"));
+      setIsisAccountMalicious(tags.includes("malicious"));
+    }
+  };
+
   const checkAndSetIsAccountFunded = async (accountId: string) => {
     if (!accountId || !StrKey.isValidEd25519PublicKey(accountId)) {
       setIsAccountFunded(true);
@@ -288,6 +305,9 @@ export const CreateTransaction = ({
         ) {
           message =
             'Stellar address or public key is invalid. Public keys are uppercase and begin with letter "G."';
+        } else if (isAccountMalicious) {
+          message =
+            "This account has been flagged as being potentially malicious.";
         }
 
         errors[SendFormIds.SEND_TO] = message;
@@ -445,6 +465,8 @@ export const CreateTransaction = ({
 
             setToAccountId(e.target.value);
 
+            checkIfAccountIsFlagged(e.target.value);
+
             if (federationAddressFetchStatus) {
               setFederationAddressFetchStatus(null);
             }
@@ -515,6 +537,14 @@ export const CreateTransaction = ({
         </RowEl>
       )}
 
+      {isAccountUnsafe && (
+        <RowEl>
+          <InfoBlock variant={InfoBlockVariant.error}>
+            <p>This account has been flagged as being potentially unsafe.</p>
+          </InfoBlock>
+        </RowEl>
+      )}
+
       <RowEl>
         <CellEl>
           <Input

src/constants/settings.ts

@@ -3,6 +3,7 @@ import StellarSdk from "stellar-sdk";
 export const TX_HISTORY_LIMIT = 100;
 export const TX_HISTORY_MIN_AMOUNT = 0.5;
 export const RESET_STORE_ACTION_TYPE = "RESET";
+export const FLAGGED_ACCOUNT_STORAGE_ID = "flaggedAcounts";
 
 interface NetworkItemConfig {
   url: string;

src/helpers/getFlaggedAccounts.ts

@@ -0,0 +1,25 @@
+const UNSAFE_ACCOUNTS_URL =
+  "https://api.stellar.expert/explorer/directory?limit=20000000&tag[]=malicious&tag[]=unsafe";
+// setting limit very high as there doesn't appear to be a better way to get all entries from API
+
+const RESPONSE_TIMEOUT = 5000;
+// if API doesn't respond in this amount of time, we'll cancel the request
+
+export const getFlaggedAccounts = async () => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), RESPONSE_TIMEOUT);
+
+  const flaggedAccountsRes = await fetch(UNSAFE_ACCOUNTS_URL, {
+    signal: controller.signal,
+  });
+  clearTimeout(timeoutId);
+  const flaggedAccountsJson = await flaggedAccountsRes.json();
+
+  const {
+    _embedded: { records: unsafeAccountsData },
+  } = flaggedAccountsJson;
+
+  return unsafeAccountsData.map(
+    ({ address, tags }: { address: string; tags: [] }) => ({ address, tags }),
+  );
+};

src/hooks/useUnsafeAccounts.ts

@@ -0,0 +1,39 @@
+// @ts-nocheck
+import { useEffect, useState } from "react";
+import { FLAGGED_ACCOUNT_STORAGE_ID } from "constants/settings";
+
+import { getFlaggedAccounts } from "helpers/getFlaggedAccounts";
+
+interface FlaggedAccount {
+  address: string;
+  tags: [string];
+}
+
+interface FlaggedAccounts extends Array<FlaggedAccount> {}
+
+export const useFlaggedAccounts = () => {
+  const [flaggedAccounts, setFlaggedAccounts] = useState<FlaggedAccounts>([
+    { address: "", tags: [] },
+  ]);
+
+  useEffect(() => {
+    const fetchFlaggedAccounts = async () => {
+      let accounts;
+
+      try {
+        accounts = await getFlaggedAccounts();
+      } catch (e) {
+        accounts =
+          JSON.parse(localStorage.getItem(FLAGGED_ACCOUNT_STORAGE_ID)) || [];
+      }
+      setFlaggedAccounts(accounts);
+      localStorage.setItem(
+        FLAGGED_ACCOUNT_STORAGE_ID,
+        JSON.stringify(accounts),
+      );
+    };
+    fetchFlaggedAccounts();
+  }, []);
+
+  return { flaggedAccounts };
+};