Coinbase Wallet

The wallet implements Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from dApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not warn or refuses the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet does not support the eth_sign method.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows users to revoke access either individually or all at once.

The wallet offers the ability to list and revoke token approvals via in-app functionality.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet offers transaction simulation, clearly displaying all incoming and outgoing assets involved in the transaction.

The wallet displays the token, amount, effect and also the spender address during an approval transaction.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet parses EIP-712 objects for well-known contracts and protocols.

The wallet does not warn users when entering addresses with invalid checksums, either manually or through a dApp.

The sign button is always enabled.

The wallet includes clickable links in both the transaction preview and the wallet history.

The wallet enforces authentication to display the mnemonics or private keys.

The wallet does not include a manual lock button; it only provides a sign-out option that functions as a wallet reset.

The wallet includes an option to require unlocking when opening the app, but it is disabled by default. As a result, the wallet does not lock by default when the app is closed or remains in background execution for more than one minute. It supports biometric authentication.

The wallet allows easy-to-guess six-digit PINs such as 111111 and does not rate-limit login attempts after the fifth try.

The wallet limits the time secrets remain in the clipboard to one minute, but the functionality is not working for Android devices. It also prevents users from taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet does not alert the user about connections to known phishing dApps.

The wallet successfully warns users when interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet displays the dApp origin URL in full within the connection dialog.

The wallet does not filter out scam or spam NFTs.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.