Bitget

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from dApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction. The wallet does not lock itself but it requires passphrase or biometrics unlock for every RPC endpoint request.

The wallet allows users to sign an EIP-712 object with a chain ID that does not match the currently active chain and does not warn them about it.

The eth_sign method is disabled by default. The wallet will not even process the request.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet offers the ability to list and revoke token approvals, via in-app functionality.

The wallet requires user confirmation before processing the wallet_switchEthereumChain RPC request from the dApp.

The wallet offers transaction simulation, clearly displaying all incoming and outgoing assets involved in the transaction.

The wallet clearly provides token, effect, amount and spender address during the approval transaction.

The wallet does not truncate large messages in a personal sign, but it does not display the verifying contract in an EIP-712 object.

The wallet displays the information in an EIP-712 object as plain data, without any parsing.

The wallet warns users when providing addresses with invalid checksums if typed manually; however, it does not emit any warnings when the address is supplied through the testing dApp.

Sign button is always enabled.

The wallet includes clickable links to addresses, contracts or transactions hashes when viewing transaction history and within the transaction details view.

The wallet enforces authentication to display the mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet does not auto-lock by default. User needs to enable this option under the security menu.

The wallet requires a six-digit PIN that is not easily guessable, such as 111111 or 123456. It also supports biometrics.

The wallet does not allow copying mnemonics to the clipboard and also prevents taking screenshots.

The wallet displays clear warnings about the risks of sharing or revealing mnemonics or private keys before showing the seed phrase.

The wallet appears to rely on a third-party service to detect phishing or risky sites, but it failed to block or warn on the tested phishing dApp URL.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet displays the dApp origin URL in full, without truncation within the connection dialog.

The wallet fails to filter out scam or spam NFTs sent to the wallet.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.