fix: skip Blockaid validation for token transfers between internal accounts

[vinistevam]

Description

This PR updates the transaction validation logic to bypass Blockaid security checks when transferring assets between internal accounts. This ensures that the Security Alerts API is not called unnecessarily for trusted self token transfers.

Changelog

CHANGELOG entry: Fixed an issue where Blockaid validation was unnecessarily triggered for transfers between internal accounts

Related issues

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/6357

Manual testing steps

1. Perform a token (USDC) transfer using an internal account
2. Open chrome dev tools > network
3. Should not call Security Alerts API

Screenshots/Recordings

security.webm

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Skips PPOM validation for zero-value token transfers between internal accounts by extracting the recipient from transaction data, with supporting helpers and tests.

• Security validation (PPOM/Blockaid):
  • Skip PPOM validation when:
    • type is a token transfer (tokenMethodTransfer|TransferFrom|SafeTransferFrom), value is 0x0, and recipient is an internal account.
  • Parse transfer recipient from txParams.data via new getTransactionDataRecipient to detect self/internal transfers.
  • Add helpers: TRANSFER_TYPES, normalizeAddress, isInternalAccount and import getTransactionDataRecipient.
• Shared utils:
  • Add getTransactionDataRecipient(data) using parseStandardTokenTransactionData to extract _to/to address.
• Tests:
  • Add test to ensure PPOM is not called for zero-value transfers to self in app/scripts/lib/transaction/util.test.ts.
  • Add comprehensive tests for getTransactionDataRecipient and adjust Permit2 decoding expectations in shared/modules/transaction.utils.test.js.

^{Written by Cursor Bugbot for commit c67d928. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbot]

✨ Files requiring CODEOWNER review ✨

✅ @MetaMask/confirmations (2 files, +71 -5)

• 📁 app/
  • 📁 scripts/
    • 📁 lib/
      • 📁 transaction/
        • 📄 util.test.ts +34 -0
        • 📄 util.ts +37 -5

[metamaskbot]

Builds ready [c67d928]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1263 ± 138 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1263	993	1733	138	1357	1469
			load	1056	861	1528	117	1133	1251
			domContentLoaded	1047	851	1517	114	1120	1239
			domInteractive	28	16	194	25	22	84
			firstPaint	636	85	1575	439	1086	1238
			backgroundConnect	210	182	265	15	221	236
			firstReactRender	29	18	66	10	32	51
			getState	38	14	136	23	41	107
			initialActions	1	0	5	1	1	3
			loadScripts	847	656	1313	112	923	1029
			setupStore	12	7	51	6	14	21
			numNetworkReqs	12	5	77	20	5	73
	Browserify	Power User Home	uiStartup	2051	1726	2654	204	2130	2441
			load	1028	887	1643	132	1031	1357
			domContentLoaded	1014	877	1624	131	1012	1338
			domInteractive	33	17	145	22	33	92
			firstPaint	604	100	1633	420	997	1375
			backgroundConnect	245	210	777	81	235	420
			firstReactRender	59	36	110	14	62	93
			getState	197	141	682	72	206	233
			initialActions	1	0	6	1	1	2
			loadScripts	801	671	1413	130	784	1128
			setupStore	20	9	54	8	25	39
			numNetworkReqs	159	66	396	63	208	268
	Webpack	Standard Home	uiStartup	836	702	1308	111	863	1044
			load	657	563	1143	109	686	879
			domContentLoaded	651	558	1135	108	679	873
			domInteractive	27	15	143	26	22	104
			firstPaint	252	73	846	195	205	745
			backgroundConnect	10	6	62	6	11	19
			firstReactRender	28	20	130	12	31	38
			getState	26	13	54	11	36	47
			initialActions	1	0	3	1	1	2
			loadScripts	648	556	1133	107	677	864
			setupStore	11	7	31	4	14	18
			numNetworkReqs	12	5	77	20	5	72
	Webpack	Power User Home	uiStartup	1482	1073	2048	195	1528	1930
			load	641	559	1117	97	644	860
			domContentLoaded	632	553	1106	96	632	850
			domInteractive	32	16	135	25	30	109
			firstPaint	303	94	1157	227	316	850
			backgroundConnect	40	7	554	112	16	437
			firstReactRender	56	42	85	8	60	73
			getState	181	145	755	59	185	204
			initialActions	1	0	3	1	1	2
			loadScripts	629	551	1093	95	629	848
			setupStore	17	8	58	10	18	48
			numNetworkReqs	161	68	384	61	212	292
Firefox	Browserify	Standard Home	uiStartup	1315	1096	1804	138	1392	1592
			load	1092	953	1343	90	1157	1255
			domContentLoaded	1092	953	1342	90	1156	1255
			domInteractive	58	30	136	26	83	110
			firstPaint	-	-	-	-	-	-
			backgroundConnect	50	21	193	34	67	109
			firstReactRender	22	18	34	3	23	26
			getState	14	7	140	21	10	46
			initialActions	1	0	3	1	2	2
			loadScripts	1059	940	1320	79	1118	1229
			setupStore	14	5	99	16	12	36
			numNetworkReqs	11	5	66	16	6	58
	Browserify	Power User Home	uiStartup	2634	1953	5037	580	2667	4214
			load	1246	981	2621	341	1235	2375
			domContentLoaded	1246	981	2621	341	1229	2375
			domInteractive	120	34	485	99	124	367
			firstPaint	-	-	-	-	-	-
			backgroundConnect	168	30	1252	223	147	696
			firstReactRender	57	33	255	24	59	88
			getState	297	73	1114	251	361	812
			initialActions	2	0	7	1	2	3
			loadScripts	1178	964	2328	240	1180	1536
			setupStore	159	6	819	206	155	684
			numNetworkReqs	92	60	239	43	95	227
	Webpack	Standard Home	uiStartup	1516	1292	2057	142	1602	1800
			load	1249	1064	1595	109	1318	1442
			domContentLoaded	1249	1064	1595	109	1316	1442
			domInteractive	60	27	143	34	81	133
			firstPaint	-	-	-	-	-	-
			backgroundConnect	47	21	153	27	51	120
			firstReactRender	26	19	71	9	28	39
			getState	13	6	82	9	13	27
			initialActions	1	0	4	1	2	3
			loadScripts	1223	1047	1577	103	1291	1401
			setupStore	16	7	195	21	14	36
			numNetworkReqs	12	5	72	17	7	62
	Webpack	Power User Home	uiStartup	3041	2249	5336	810	3010	4905
			load	1530	1141	2980	452	1581	2757
			domContentLoaded	1530	1140	2980	453	1581	2756
			domInteractive	106	29	410	91	107	370
			firstPaint	-	-	-	-	-	-
			backgroundConnect	212	32	1256	292	171	1117
			firstReactRender	65	37	211	30	62	135
			getState	296	66	990	240	442	796
			initialActions	2	0	8	1	2	3
			loadScripts	1421	1114	2813	295	1538	1997
			setupStore	132	7	1158	204	97	600
			numNetworkReqs	92	56	238	38	106	177

📊 Page Load Benchmark Results

Current Commit: c67d928 | Date: 12/3/2025

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.03s (±42ms) 🟡 | historical mean value: 1.04s ⬇️ (historical data)
• domContentLoaded-> current mean value: 718ms (±38ms) 🟢 | historical mean value: 726ms ⬇️ (historical data)
• firstContentfulPaint-> current mean value: 75ms (±11ms) 🟢 | historical mean value: 79ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.03s	42ms	1.01s	1.35s	1.06s	1.35s
domContentLoaded	718ms	38ms	698ms	1.01s	740ms	1.01s
firstPaint	75ms	11ms	60ms	168ms	84ms	168ms
firstContentfulPaint	75ms	11ms	60ms	168ms	84ms	168ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 868 Bytes (0.02%)
• ui: -542 Bytes (-0.01%)
• common: 198 Bytes (0%)