Skip to content

Security: pre-broadcast tx confirmation review UI #200

Open
Open
Security: pre-broadcast tx confirmation review UI#200
@deepanshutr

Description

@deepanshutr
deepanshutr
opened on Apr 28, 2026

Problem

data/txApi.js calls signAndBroadcast() directly from handleSubmit handlers across stake, vote, bridge, withdraw-rewards, and IBC-transfer flows. The user signs in the wallet extension (Keplr/Leap shows its own confirmation), but this app does not show the user a synthesized human-readable summary of what they're about to sign before the wallet popup appears.

If a stake form is rendering wrong (e.g. wrong validator address from a stale state, wrong amount due to the precision bug fixed in 148a57f, wrong recipient from a poisoned pool list), the user has only the wallet extension's protobuf-decoded view to catch it. Most users skim past that.

Proposed UI

A confirmation step between "Submit" and signAndBroadcast:

┌─ Review transaction ─────────────────┐
│ Action:    Delegate                  │
│ Amount:    1,234.5678 MNTL           │
│ To:        mantlevaloper1abc... (Foo)│
│ Fee:       0.002 MNTL                │
│ Memo:      (none)                    │
│                                      │
│   [ Cancel ]      [ Confirm ]        │
└──────────────────────────────────────┘

Built once and reused across:

  • views/StakedToken.js
  • views/Vesting.js
  • views/PolygonBridge.jsx, EthToPolygonBridge.js, MntlToGravityBridge.js, GravityToEthBridge.js, OsmosisToMntl.jsx
  • views/ConnectModal/Redirect.js (vote flow)
  • components/Rewards.jsx, components/Delegations.jsx

Why now

  • Defense-in-depth: extends the wallet-extension safety net into the wallet app itself.
  • Catches a whole class of bugs (wrong amount / wrong destination from a UI state bug) before signing, which is recoverable. After signing, user funds move and are gone.
  • The audit that produced feat(earn): Pool #690 liquidity incentive program card #198 found multiple state-mutation bugs that could have surfaced as a wrong-amount sign. A confirmation step would have caught them.

Acceptance

  • Single ConfirmTxModal component in components/
  • Used by every signAndBroadcast call site (no direct broadcast without it)
  • Shows: action label, amount + denom, recipient(s), fee, memo
  • "Confirm" triggers signing; "Cancel" returns to form

Followup to #198. Lift in difficulty: medium — UI work + threading through state machines.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions