[Bug]: wallet_addEthereumChain adds new default RPC URL without confirmation

[christopherferreira9]

Describe the bug

Following extension, when wallet_addEthereumChain is called for an existing chain, before the active chain switches the user is presented with a confirmation screen warning that a different RPC url is going to be added.
Without this confirmation screen we might be bumping into a phishing potential (see MetaMask/metamask-extension#16712) .

Expected behavior

The user is presented with a confirmation screen warning the user that a new RPC url for the chain he's trying to add is going to be added to the RPC list and this will turn into the default active RPC.

Screenshots/Recordings

overridingrpcurl.mov

Steps to reproduce

1. Add Polygon in MetaMask and switch back to Mainnet
2. Open this dapp on the inapp browser
3. Tap request accounts and connect while having Mainnet as the active chain
4. Tap AddEthereumChain
5. Go to the list of chains in the wallet and verify the list of RPC urls under the Polygon

Error messages or log output

Detection stage

In production (default)

Version

7.38.0

Build type

None

Device

iPhone 11

Operating system

iOS, Android

Additional context

Call being made under the AddEthereumChain button:

{
  method: 'wallet_addEthereumChain',
  params: [{
    chainId: '0x89',
    chainName: 'Polygon',
    blockExplorerUrls: ['https://polygonscan.com'],  // notice that this RPC url is different than the one preloaded in MetaMask
    nativeCurrency: { symbol: 'POL', decimals: 18 },
    rpcUrls: ['https://polygon-rpc.com/'],
  }]
}

Severity

No response