Coinbase Wallet

The wallet requires user confirmation for every request.

The wallet requires a user connection for every request.

The wallet requires the user to unlock it for every request.

The wallet does not refuse or deny signing an EIP-712 object with different chain IDs.

The `eth_sign` method is disabled by default.

The wallet does not warn users about domain or scheme mismatches when signing a SIWE message.

The wallet displays a list of connected dApps and provides the option to disconnect from them either individually or all at once.

The wallet allows users to revoke token approvals through its own built-in revocation system.

The wallet switches chains without requesting user confirmation.

The wallet offers transaction simulation, displaying the incomes and outcomes of the transaction.

It shows all the required information such as token, allowance, contract address, spender address and effect.

The verifying contract is displayed in the EIP-712 object, and the wallet does not truncate large inputs in a personal sign request.

The wallet successfully parses the EIP-712 OpenSea contract and blocks the ERC20 permit.

The wallet warns the user sending a transaction with an address containing invalid checksums.

When signing a personal message with a large input, the button remains available at all times.

The wallet includes clickable links in both historical transactions and ongoing transactions.

The wallet supports seed phrase backup functionality and it enforces authentication to display the mnemonics or private keys.

The wallet includes a manual lock button in the settings menu.

The wallet offers auto-lock options, but by default, it is set to activate after 24 hours of inactivity.

The wallet requires users to create an 8-digit password and prevents the use of easily guessable passwords like "12345678."

The wallet does not explicitly warn the user about the risks of copying mnemonics or the private key to the clipboard for more than a minute

The wallet displays a warning in the mnemonics interface, informing the user about the risks of sharing their mnemonics.

The wallet makes a strong effort to prevent users from connecting to phishing dApps.

The wallet successfully warns the user when attempting to send a transaction to a well-known scam address, such as the Tornado Cash Attacker address.

The wallet does not inform the user when they are connecting to a well-known verified URL.

The wallet does not warn the user when interacting with an unknown address.

The dApp origin URL is displayed in full without truncation.

The wallet successfully filters out scam and spam NFTs from the list.

The wallet clearly informs users within the connection dialog about the permissions being granted to the dApp, such as viewing wallet balance, transaction activity, and requesting transaction approvals.