fix: force timeout after 30s token detection (#7106)

## Explanation

### What is the current state and why does it need to change?

Currently, when `TokenDetectionController` uses the Accounts API to
detect tokens, API calls can hang indefinitely if the API is slow,
unresponsive, or experiencing network issues. This causes the entire
token detection process to freeze without any fallback mechanism,
resulting in a poor user experience where tokens are never detected.

### What is the solution and how does it work?

This PR adds 30-second timeout protection for Accounts API calls in
`TokenDetectionController`:

- Added `ACCOUNTS_API_TIMEOUT_MS` constant (30000ms) to define the
timeout threshold

- Wrapped Accounts API calls with `Promise.race()` between the actual
API call and a timeout promise

- When timeout occurs, the promise rejects and is caught, triggering an
automatic fallback to RPC-based token detection

- Properly cleans up the timeout in a `finally` block to prevent memory
leaks

- Includes error logging for debugging timeout and failure events

The timeout mechanism ensures that:

1. If the API responds within 30 seconds, detection proceeds normally
via the API

2. If the API takes longer than 30 seconds, the timeout fires and RPC
detection takes over

3. Users always get token detection results, either via API or RPC
fallback

### Changes that might not be obvious

The timeout is implemented in the `#attemptAccountAPIDetection` private
method, which wraps the existing `#addDetectedTokensViaAPI` call. This
ensures the timeout protection applies to all Accounts API token
detection flows without requiring changes to the core detection logic.

## References

- Improves reliability of token detection by preventing indefinite hangs

- Ensures users always get token detection results through automatic RPC
fallback

- Related to ongoing work to improve Accounts API reliability and user
experience

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate

- Added comprehensive timeout test using fake timers to simulate
30-second timeout scenario

- Test verifies that API is called, timeout triggers, RPC fallback
occurs, and tokens are successfully added

- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate

  - Added inline comments explaining timeout mechanism and cleanup

- [x] I've communicated my changes to consumers by updating changelogs
for packages I've changed, highlighting breaking changes as necessary

  - Updated `CHANGELOG.md` with timeout protection fix

- [x] I've prepared draft pull requests for clients and consumer
packages to resolve any breaking changes

- Not applicable: This is an internal improvement with no breaking
changes

## Technical Implementation Details

### Key Files Changed

1. **`TokenDetectionController.ts`**
   - Added `ACCOUNTS_API_TIMEOUT_MS` constant (30000ms)
- Modified `#attemptAccountAPIDetection` method to implement timeout
protection
   - Uses `Promise.race()` to race between API call and timeout promise
   - Includes proper cleanup in `finally` block to prevent memory leaks

2. **`TokenDetectionController.test.ts`**
- Added test case: `'should timeout and fallback to RPC when Accounts
API call takes longer than 30 seconds'`
   - Uses `sinon.useFakeTimers()` to simulate time advancement
- Verifies complete flow: API call → timeout → RPC fallback → token
addition

### Code Flow

```
detectTokens()
  ↓
#attemptAccountAPIDetection()
  ↓
Promise.race([
  #addDetectedTokensViaAPI() ← actual API call
  timeout promise (30s)      ← timeout protection
])
  ↓
Success → continue with API results
  ↓
Timeout/Failure → fallback to RPC detection
  ↓
finally → cleanup timeout
```

### Testing Strategy

The test uses fake timers to simulate the 30-second timeout without
actually waiting 30 seconds:

1. Mock API call to never resolve (simulates hanging request)
2. Start detection process
3. Advance fake timers by 30 seconds
4. Verify timeout triggered
5. Verify RPC fallback occurred
6. Verify tokens were successfully added

## Impact

### User Experience

- **Before**: Token detection could hang indefinitely, leaving users
without their tokens
- **After**: Token detection always completes within 30 seconds, with
automatic RPC fallback

### Performance

- No performance impact on successful API calls (they complete normally)
- Failed/slow API calls are cut off at 30 seconds instead of hanging
forever
- Memory leak prevention through proper timeout cleanup

### Reliability

- Significantly improves reliability of token detection
- Provides graceful degradation when Accounts API is experiencing issues
- Maintains existing functionality while adding safety net


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds a 30s timeout to Accounts API token detection with RPC fallback,
and refactors balance fetchers to return `unprocessedChainIds` so
controllers can retry unsupported chains via RPC.
> 
> - **Token Detection (`TokenDetectionController`)**:
> - Add `ACCOUNTS_API_TIMEOUT_MS` (30s) and wrap API calls with
`safelyExecuteWithTimeout`; on timeout/failure, fall back to RPC.
> - Process Accounts API `unprocessedNetworks` and add those chains to
RPC detection.
> - **Balance Fetchers**:
> - Change `fetch()` to return `{ balances, unprocessedChainIds }` in
`AccountsApiBalanceFetcher` and `RpcBalanceFetcher`.
> - Convert Accounts API `unprocessedNetworks` (decimal) to hex
`unprocessedChainIds`; aggregate across batches.
> - For `AccountTracker` RPC fetcher wrapper, filter out staked entries
when `includeStakedAssets` is false while preserving
`unprocessedChainIds`.
> - **Controllers**:
> - Update `AccountTrackerController` and `TokenBalancesController` to
consume new fetcher result shape and re-queue `unprocessedChainIds` for
fallback fetchers.
> - **Tests & Misc**:
> - Update tests across fetchers/controllers for new return type and
timeout/fallback behavior; add coverage for missing currencies in
`CurrencyRateController` responses.
> - Update `CHANGELOG.md` to reflect timeout protection and unprocessed
network handling.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7a813ba. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: salimtb

packages/assets-controllers/CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Add 30-second timeout protection for Accounts API calls in `TokenDetectionController` to prevent hanging requests ([#7106](https://github.com/MetaMask/core/pull/7106))
+  - Prevents token detection from hanging indefinitely on slow or unresponsive API requests
+  - Automatically falls back to RPC-based token detection when API call times out or fails
+  - Includes error logging for debugging timeout and failure events
+- Handle `unprocessedNetworks` from Accounts API responses to ensure complete token detection coverage ([#7106](https://github.com/MetaMask/core/pull/7106))
+  - When Accounts API returns networks it cannot process, those networks are automatically added to RPC detection
+  - Applies to both `TokenDetectionController` and `TokenBalancesController`
+  - Ensures all requested networks are processed even if API has partial support
+
 ## [88.0.0]
 
 ### Changed

packages/assets-controllers/src/AccountTrackerController.test.ts

@@ -594,6 +594,57 @@ describe('AccountTrackerController', () => {
           },
         );
       });
+
+      it('should create account entry when applying staked balance without native balance (line 743)', async () => {
+        // Mock returning staked balance for ADDRESS_1 and native balance for ADDRESS_2
+        // but NO native balance for ADDRESS_1 - this tests the defensive check on line 743
+        // Use lowercase addresses since queryAllAccounts: true uses lowercase
+        mockedGetTokenBalancesForMultipleAddresses.mockResolvedValueOnce({
+          tokenBalances: {
+            '0x0000000000000000000000000000000000000000': {
+              // Only ADDRESS_2 has native balance, ADDRESS_1 doesn't
+              [ADDRESS_2]: new BN('100', 16),
+            },
+          },
+          stakedBalances: {
+            // ADDRESS_1 has staked balance but no native balance
+            [ADDRESS_1]: new BN('2', 16), // 0x2
+            [ADDRESS_2]: new BN('3', 16), // 0x3
+          },
+        });
+
+        await withController(
+          {
+            options: {
+              includeStakedAssets: true,
+              getStakedBalanceForChain: mockGetStakedBalanceForChain,
+            },
+            isMultiAccountBalancesEnabled: true,
+            selectedAccount: ACCOUNT_1,
+            listAccounts: [ACCOUNT_1, ACCOUNT_2],
+          },
+          async ({ controller, refresh }) => {
+            await refresh(clock, ['mainnet'], true);
+
+            // Line 743 should have created an account entry with balance '0x0' for ADDRESS_1
+            // when applying staked balance without a native balance entry
+            expect(controller.state).toStrictEqual({
+              accountsByChainId: {
+                '0x1': {
+                  [CHECKSUM_ADDRESS_1]: {
+                    balance: '0x0', // Created by line 743 (defensive check)
+                    stakedBalance: '0x2',
+                  },
+                  [CHECKSUM_ADDRESS_2]: {
+                    balance: '0x100',
+                    stakedBalance: '0x3',
+                  },
+                },
+              },
+            });
+          },
+        );
+      });
     });
 
     describe('with networkClientId', () => {

packages/assets-controllers/src/AccountTrackerController.ts

@@ -91,14 +91,19 @@ function createAccountTrackerRpcBalanceFetcher(
     },
 
     async fetch(params) {
-      const balances = await rpcBalanceFetcher.fetch(params);
+      const result = await rpcBalanceFetcher.fetch(params);
 
       if (!includeStakedAssets) {
         // Filter out staked balances from the results
-        return balances.filter((balance) => balance.token === ZERO_ADDRESS);
+        return {
+          balances: result.balances.filter(
+            (balance) => balance.token === ZERO_ADDRESS,
+          ),
+          unprocessedChainIds: result.unprocessedChainIds,
+        };
       }
 
-      return balances;
+      return result;
     },
   };
 }
@@ -630,21 +635,38 @@ export class AccountTrackerController extends StaticIntervalPollingController<Ac
         }
 
         try {
-          const balances = await fetcher.fetch({
+          const result = await fetcher.fetch({
             chainIds: supportedChains,
             queryAllAccounts,
             selectedAccount,
             allAccounts,
           });
 
-          if (balances && balances.length > 0) {
-            aggregated.push(...balances);
+          if (result.balances && result.balances.length > 0) {
+            aggregated.push(...result.balances);
             // Remove chains that were successfully processed
-            const processedChains = new Set(balances.map((b) => b.chainId));
+            const processedChains = new Set(
+              result.balances.map((b) => b.chainId),
+            );
             remainingChains = remainingChains.filter(
               (chain) => !processedChains.has(chain),
             );
           }
+
+          // Add unprocessed chains back to remainingChains for next fetcher
+          if (
+            result.unprocessedChainIds &&
+            result.unprocessedChainIds.length > 0
+          ) {
+            // Only add chains that were originally requested and aren't already in remainingChains
+            const currentRemainingChains = remainingChains;
+            const chainsToAdd = result.unprocessedChainIds.filter(
+              (chainId) =>
+                supportedChains.includes(chainId) &&
+                !currentRemainingChains.includes(chainId),
+            );
+            remainingChains.push(...chainsToAdd);
+          }
         } catch (error) {
           console.warn(
             `Balance fetcher failed for chains ${supportedChains.join(', ')}: ${String(error)}`,

packages/assets-controllers/src/CurrencyRateController.test.ts

@@ -885,6 +885,100 @@ describe('CurrencyRateController', () => {
     controller.destroy();
   });
 
+  it('should set conversionDate to null when currency not found in price api response (lines 201-202)', async () => {
+    jest.spyOn(global.Date, 'now').mockImplementation(() => getStubbedDate());
+
+    const messenger = getCurrencyRateControllerMessenger();
+
+    const tokenPricesService = buildMockTokenPricesService();
+
+    // Mock price API response where BNB is not included
+    jest.spyOn(tokenPricesService, 'fetchExchangeRates').mockResolvedValue({
+      eth: {
+        name: 'Ether',
+        ticker: 'eth',
+        value: 1 / 1000,
+        usd: 1 / 3000,
+        currencyType: 'crypto',
+      },
+      // BNB is missing from the response
+    });
+
+    const controller = new CurrencyRateController({
+      messenger,
+      state: { currentCurrency: 'xyz' },
+      tokenPricesService,
+    });
+
+    await controller.updateExchangeRate(['ETH', 'BNB']);
+
+    const conversionDate = getStubbedDate() / 1000;
+    expect(controller.state).toStrictEqual({
+      currentCurrency: 'xyz',
+      currencyRates: {
+        ETH: {
+          conversionDate,
+          conversionRate: 1000,
+          usdConversionRate: 3000,
+        },
+        BNB: {
+          conversionDate: null, // Line 201: rate === undefined
+          conversionRate: null, // Line 202
+          usdConversionRate: null,
+        },
+      },
+    });
+
+    controller.destroy();
+  });
+
+  it('should set conversionDate to null when currency not found in crypto compare response (lines 231-232)', async () => {
+    jest.spyOn(global.Date, 'now').mockImplementation(() => getStubbedDate());
+    const cryptoCompareHost = 'https://min-api.cryptocompare.com';
+    nock(cryptoCompareHost)
+      .get('/data/pricemulti?fsyms=ETH,BNB&tsyms=xyz')
+      .reply(200, {
+        ETH: { XYZ: 4000.42 },
+        // BNB is missing from the response
+      })
+      .persist();
+
+    const messenger = getCurrencyRateControllerMessenger();
+    const tokenPricesService = buildMockTokenPricesService();
+
+    // Make price API fail so it falls back to CryptoCompare
+    jest
+      .spyOn(tokenPricesService, 'fetchExchangeRates')
+      .mockRejectedValue(new Error('Failed to fetch'));
+
+    const controller = new CurrencyRateController({
+      messenger,
+      state: { currentCurrency: 'xyz' },
+      tokenPricesService,
+    });
+
+    await controller.updateExchangeRate(['ETH', 'BNB']);
+
+    const conversionDate = getStubbedDate() / 1000;
+    expect(controller.state).toStrictEqual({
+      currentCurrency: 'xyz',
+      currencyRates: {
+        ETH: {
+          conversionDate,
+          conversionRate: 4000.42,
+          usdConversionRate: null,
+        },
+        BNB: {
+          conversionDate: null, // Line 231: rate === undefined
+          conversionRate: null, // Line 232
+          usdConversionRate: null,
+        },
+      },
+    });
+
+    controller.destroy();
+  });
+
   describe('useExternalServices', () => {
     it('should not fetch exchange rates when useExternalServices is false', async () => {
       const fetchMultiExchangeRateStub = jest.fn();

packages/assets-controllers/src/TokenBalancesController.test.ts

@@ -1459,7 +1459,7 @@ describe('TokenBalancesController', () => {
 
       // Mock the RPC balance fetcher's fetch method to verify the parameter
       const mockRpcFetch = jest.spyOn(RpcBalanceFetcher.prototype, 'fetch');
-      mockRpcFetch.mockResolvedValueOnce([]);
+      mockRpcFetch.mockResolvedValueOnce({ balances: [] });
 
       const { controller } = setupController({
         config: {
@@ -1771,7 +1771,7 @@ describe('TokenBalancesController', () => {
     // Mock empty aggregated results
     const mockFetcher = {
       supports: jest.fn().mockReturnValue(true),
-      fetch: jest.fn().mockResolvedValue([]), // Return empty array
+      fetch: jest.fn().mockResolvedValue({ balances: [] }), // Return empty result
     };
 
     // Replace the balance fetchers with our mock
@@ -4250,7 +4250,7 @@ describe('TokenBalancesController', () => {
 
       // Mock AccountsApiBalanceFetcher to track when line 320 logic is executed
       const mockSupports = jest.fn().mockReturnValue(true);
-      const mockApiFetch = jest.fn().mockResolvedValue([]);
+      const mockApiFetch = jest.fn().mockResolvedValue({ balances: [] });
 
       const apiBalanceFetcher = jest.requireActual(
         './multi-chain-accounts-service/api-balance-fetcher',

packages/assets-controllers/src/TokenBalancesController.ts

@@ -653,21 +653,37 @@ export class TokenBalancesController extends StaticIntervalPollingController<{
       }
 
       try {
-        const balances = await fetcher.fetch({
+        const result = await fetcher.fetch({
           chainIds: supportedChains,
           queryAllAccounts: queryAllAccounts ?? this.#queryAllAccounts,
           selectedAccount: selected as ChecksumAddress,
           allAccounts,
         });
 
-        if (balances && balances.length > 0) {
-          aggregated.push(...balances);
+        if (result.balances && result.balances.length > 0) {
+          aggregated.push(...result.balances);
           // Remove chains that were successfully processed
-          const processedChains = new Set(balances.map((b) => b.chainId));
+          const processedChains = new Set(
+            result.balances.map((b) => b.chainId),
+          );
           remainingChains = remainingChains.filter(
             (chain) => !processedChains.has(chain),
           );
         }
+
+        // Add unprocessed chains back to remainingChains for next fetcher
+        if (
+          result.unprocessedChainIds &&
+          result.unprocessedChainIds.length > 0
+        ) {
+          const currentRemainingChains = remainingChains;
+          const chainsToAdd = result.unprocessedChainIds.filter(
+            (chainId) =>
+              supportedChains.includes(chainId) &&
+              !currentRemainingChains.includes(chainId),
+          );
+          remainingChains.push(...chainsToAdd);
+        }
       } catch (error) {
         console.warn(
           `Balance fetcher failed for chains ${supportedChains.join(', ')}: ${String(error)}`,