web icon indicating copy to clipboard operation
web copied to clipboard
verified publisher icon shapeshift

Automatically detect and display balances for ERC20 assets in a users’ wallet

Open willyogo opened this issue 4 years ago • 14 comments

As a user, I want to be able to see and interact with any ERC20 token in my wallet, regardless of whether or not it is in the app's asset list.

AC:

  1. If a user has an ERC20 balance in their wallet, the app reads the token symbol, name, and precision from the contract and displays the asset and balance in all asset lists throughout the app
  2. Users can see the asset and balance throughout the app (dashboard, asset page, asset dropdown in trade menu, asset in accounts)
  3. Users can send, receive, and trade the asset

willyogo avatar Feb 07 '22 17:02 willyogo

very closely related to https://github.com/shapeshift/web/issues/960

0xdef1cafe avatar Feb 11 '22 22:02 0xdef1cafe

This will be a bit tricky, since we don't have an automated way to tell if a token's contract is safe to interact with and we can't in general trust a token's reported name and symbol. We'll have to do some thinking about the possible attack vectors and how to mitigate them.

mrnerdhair avatar Mar 21 '22 00:03 mrnerdhair

Potential solution, lmk what you think @mrnerdhair :

We add a caution icon with a tooltip for tokens that aren't included in the CoinGecko/asset list that explains that the user should use caution when interacting the token.

Re: depending on symbols and names from contracts: I've never seen a token that doesn't have a name/symbol and feel comfortable displaying whatever is in the contract, but if there is a chance that a contract doesn't have a name and/or symbol (wouldn't this break the erc20 standard) we could always just show N/A or Unknown.

Lmk what you think of these solutions and I can run them past product and then get a mock-up for the caution icon and tooltip

willyogo avatar Mar 21 '22 01:03 willyogo

I'm less worried about missing symbols/names than malicious ones: i.e. a token might name itself "USDC" and "airdrop" itself to someone's wallet as a phishing scheme.

I expect that A UX solution (of which a caution icon might be a part) is probably part of the appropriate mitigation here. I'll need to do some thinking about what sort of risks are involved and how we can warn users of them appropriately.

I do hold out hope that we might be able to find some sort of useful technical mitigation, though no silver bullet occurs to me at the moment.

mrnerdhair avatar Mar 21 '22 01:03 mrnerdhair

Ah I see what you're saying re: symbols. I think as long as we have the caution icon & message throughout the app, we can display whatever symbol/name is in the contract, but would love your input on the tooltip copy.

here is a rough draft:

⚠️ Unknown Token Alert

This token was detected in your wallet, but is not on the CoinGecko token list used to filter unknown assets.

Anyone can create a token and transfer it to your wallet. Before interacting with any token, make sure to research the token, ensure it is the correct token that you wish to interact with, and proceed at your own risk.

ShapeShift makes no representation about the quality, nature, or legal categorization of any tokens.

willyogo avatar Mar 21 '22 21:03 willyogo

@cjthompson - to discuss making the asset service dynamic

0xean avatar Mar 25 '22 20:03 0xean

Been thinking about this a bit more. I think that automatically-detected tokens are more likely to be risky than manually-imported ones, but they shouldn't be considered second-class citizens in the UI just because we detected them. I think the appropriate UX solution might be to ask the user if they want to add the automatically-detected token to their asset list, after which we'd handle it in the same fashion as any other manually-imported token. That way we could show a relatively scary warning, but only once, and after that just have the usual lower-impact warning associated with manually-imported tokens.

mrnerdhair avatar Mar 29 '22 17:03 mrnerdhair

Screen_Shot_2022-04-18_at_12 57 00_PM

DiggyDiggy2 avatar Apr 18 '22 17:04 DiggyDiggy2

If there's multiple we'll show a little counter at the top (1 of 2) for example. When the user takes an action (import or dont import) please move them to the next token to review

DiggyDiggy2 avatar Apr 18 '22 17:04 DiggyDiggy2

@willyogo do you have a wallet with tokens that aren't supported by the app that we can test this on - or able to send a tiny amount to an engineer?

0xdef1cafe avatar Apr 18 '22 23:04 0xdef1cafe

@0xdef1cafe apologies for not seeing this sooner, are you able to connect willywonka.eth or 0x05A1ff0a32bc24265BCB39499d0c5D9A6cb2011c ? if not, lmk an address to send to and I'll send an unsupported ERC20

willyogo avatar May 02 '22 17:05 willyogo

@willyogo 0xA44C286BA83Bb771cd0107B2c1Df678435Bd1535 send some shitcoins plz

0xdef1cafe avatar May 18 '22 19:05 0xdef1cafe

@willyogo bump on above for shitcoins plz

0xdef1cafe avatar Aug 03 '22 19:08 0xdef1cafe

thanks for ping and sorry i missed the first tag!

Just sent 2 tokens that aren't in the coingecko list:

  1. DomainDAO (no liquidity on DEXs) https://etherscan.io/tx/0xc4109ec8d6e48b78da5a5c24c9c72e12549ebc713149f8712ea5fae701f0d41a
  2. Gem (some liquidity on DEXs; should at least be able to trade ETH for it) https://etherscan.io/tx/0x0ae967c3f873e6a89a1de4111f6106b4356da74355de89511effe473d886b81d

willyogo avatar Aug 03 '22 19:08 willyogo

closing as stale and not a user request

0xdef1cafe avatar May 02 '23 22:05 0xdef1cafe