Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "0xfa05A73FfE78ef8f1a739473e462c54bae6567D9": {}, | ||
| "0xfeF4185594457050cC9c23980d301908FE057Bb1": {}, | ||
| "0xfec0cF7fE078a500abf15F1284958F22049c2C7e": {}, | ||
| "0xff56Cc6b1E6dEd347aA0B7676C85AB0B3D08B0FA": {} |
There was a problem hiding this comment.
All existing token metadata deleted from contract map
High Severity
Every existing token entry in contract-map.json has been replaced with an empty object {}, wiping out all name, logo, erc20, symbol, and decimals fields for hundreds of tokens (USDC, WETH, DAI, USDT, LINK, UNI, etc.). This file is the main export of the package via index.js, so any consumer relying on token metadata will receive empty objects for every token. This is a catastrophic data loss affecting all existing token entries, not just the new FUSDT addition.
| "0x40FD72257597aA14C7231A7B1aaa29Fce868F677": {}, | ||
| "0x4116f14b6d462B32a1C10F98049E4B1765e34FA9": {}, | ||
| "0x419D0d8BdD9aF5e606Ae2232ed285Aff190E711b": {}, | ||
| "0x419eca43db68e868e68d1ab460c8ac32523c7540": {}, |
There was a problem hiding this comment.
New FUSDT token entry contains no metadata
High Severity
The newly added FUSDT entry at 0x419eca43db68e868e68d1ab460c8ac32523c7540 is an empty object {}. Per the PR description, it needs name, decimals: 18, symbol, erc20: true, and logo fields — none of which are present. Additionally, the address uses non-checksum casing while all other entries in this file use EIP-55 mixed-case checksums (the PR description itself shows the checksummed form 0x419ecA43dB68E868E68d1aB460c8AC32523c7540).
| "0x40FD72257597aA14C7231A7B1aaa29Fce868F677": {}, | ||
| "0x4116f14b6d462B32a1C10F98049E4B1765e34FA9": {}, | ||
| "0x419D0d8BdD9aF5e606Ae2232ed285Aff190E711b": {}, | ||
| "0x419eca43db68e868e68d1ab460c8ac32523c7540": {}, |
There was a problem hiding this comment.
Known scam token added to trusted MetaMask registry
High Severity
"Flash USDT" (FUSDT) is a well-documented cryptocurrency scam concept involving counterfeit tokens designed to impersonate legitimate Tether USDT. Adding this token to @metamask/contract-metadata — MetaMask's trusted token registry — would legitimize a fraudulent token for all MetaMask users. The README's own submission criteria require a "NEUTRAL" or "OK" Etherscan reputation and an official project website, which a scam token cannot satisfy. The logo URL in the PR description points to a GitHub repository, not an image file.
1 participant
Adding metadata for FUSDT (Flash USDT ERC20).
Note
High Risk
High risk because this change effectively deletes
name/symbol/decimals/logometadata for hundreds of contracts; any code or consumers relying on these fields may break or show missing token info.Overview
contract-map.jsonis drastically simplified: entries that previously contained full token/NFT metadata (name,symbol,decimals,logo,erc20/erc721, etc.) are replaced with empty objects keyed only by contract address.Adds the FUSDT contract address (
0x419eca43db68e868e68d1ab460c8ac32523c7540) to this address-only map, but does not include metadata for it (or any other token) in this file.Written by Cursor Bugbot for commit 7cbb4de. This will update automatically on new commits. Configure here.