AlphaWallet

The wallet has an Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not allow users to navigate or interact with dApps that are not whitelisted. It displays a warning suggesting that the dApp could be added to the trusted list, but no such option exists in the settings menu.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not provide an option to revoke token approvals, either through in-app functionality or via links to external dApps.

The wallet requires users to manually enable the chains that will be used by the dApp during the connection dialog. If the user attempts to switch to a different chain, the wallet prevents it.

The wallet does not provide a transaction simulation when attempting to sign or before executing a transaction.

The wallet fails to provide token and amount during an approval transaction.

The wallet does not truncate large messages in a personal sign, but it fails to display the verifying contract in an EIP-712 object.

The wallet does not parse EIP-712 objects for well-known contracts or protocols. It just shows plain data.

The wallet does not warn users when providing addresses with invalid checksums (EIP-55 address checksum), either entered manually or through the testing dApp.

Sign buttons are enabled from the start.

The wallet includes clickable links while viewing the wallet history but does not provide any during a transaction preview or when attempting to send a transaction.

The wallet enforces authentication before displaying the mnemonics.

The wallet does not feature a manual lock button.

The wallet does not automatically lock after one minute of inactivity when the device is locked or the app is moved to background execution.

The wallet does not require users to set up a PIN or password; however, it enforces the setup of the device’s biometric authentication or system PIN before allowing wallet import.

The wallet does not allow the user to copy mnemonics to the clipboard and also prevents taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics or private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they interact with an address that is not previously known or trusted.

The wallet displays the dApp origin URL without truncation within the connection dialog.

The wallet fails to filter out scam or spam NFTs and tokens sent to the wallet.

The wallet does not inform users, within the connection dialog, that by connecting they are allowing the DApp to view their wallet balance and activity, as well as to request transaction approvals.