Brave

The wallet requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet requires user connection to grant dApp access to the following RPC endpoints: eth_accounts, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

When the wallet is in locked state, it requires users to unlock the wallet to process requests from DApps to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not refuse or warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet refuses to sign an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet requires user confirmation before processing the wallet_switchEthereumChain RPC request from the dApp.

The wallet does not provide a transaction simulation when attempting to sign or before executing a transaction.

The wallet provides the token, amount, effect and spender address within the approval transaction preview.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet does not parse EIP-712 objects and instead displays the raw, unparsed data.

The wallet rejects the transaction request when providing addresses with invalid checksums (EIP-55 address checksum).

Sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

The wallet enforces authentication before revealing the mnemonics or private keys.

The wallet features a lock button to lock it manually.

The wallet has an auto-lock feature and locks itself by default after five minutes of inactivity.

The wallet allows easy-to-guess eight-digit passwords such as 11111111.

The wallet allows copying mnemonics to the clipboard but these secrets are present for less than one minute (five seconds).

The wallet warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not prevent or alerts about interactions with known phishing or scam addresses, such as the Tornado Cash Attacker.

The wallet informs users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address, either while using the dApp or when attempting a manual transaction.

The wallet displays the dApp origin URL in full, without any truncation.

The wallet fails to filter out spam or scam NFTs.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.