Coinbase Wallet

The wallet implements Wallet Connect through the embedded browser and requires user confirmation before processing each DApp request to the following RPC endpoints.

The wallet includes an embedded browser. It prompts users for confirmation before processing each DApp request.

When in the locked state, users are required to unlock the wallet to process requests.

The wallet does not refuse to sign EIP-712 messages when the chain ID doesn't match the currently active chain.

The 'eth_sign' method is disabled by default

The wallet doens't warn users of domain or scheme mismatches when signing an EIP-4361 message.

It shows all connected DApps and also the chance to revoke access to them

The wallet clearly offers the ability to list and revoke token approvals.

It doesn´t require user confirmation before processing the method

The wallet clearly displays the NFT received and the incomes and outcomes when contributing liquidity to a pool.

It includes token, effect, allowance, and contract spender address (0x11)

The wallet provides a clear method for users to check the data to be signed

The wallet parses EIP-712 objects for well-known contracts/protocols, like detailing Opensea Seaport listings, and ERC-20 Permits instead of plain JSON displays.

The wallet does not alert users about requests containing addresses with invalid checksums. It automatically corrects these addresses to ensure valid checksums. When attempting to perform a transaction using the wallet with an address containing an invalid checksum, it is not possible to complete the transaction. After clicking the "Yes, looks good" button, a message appears stating that something went wrong.

The sign button is available from the start

The wallet includes clickable links in the transaction history and during the process of sending a transaction.

After clicking the 'Recovery Phrase' or "Show private key" button, the wallet requires a password to display the mnemonics or private keys.

The wallet lacks a manual lock feature. Instead, it offers a "Sign Out" button.

Face ID authentication is required to authorize transactions when opening the app. However, the wallet does not lock when minimized, when the device is locked, or after a minute of inactivity. In the security settings, users can enable an option to lock the wallet when the app is closed.

When you start the wallet, it asks you if you want to use Biometrics, if you want to use it, this will be mandatory to confirm a request and to unlock the app, the wallet doesn't allow you to enter the password. If you don't want to use biometrics, it asks you for an easy-to-guess password (12345678) that will only be mandatory to confirm a request and doesn't implement rate limiting.

The wallet warns when copying mnemonics to the clipboard. Copied data remains for one minute, which works well. It blocks screenshots without warning about their risks.

When you see the secret phrase, it warns the user about the risks of sharing your mnemonics or private keys

The wallet does not alert users about connections to known phishing dApps

The wallet prevents or alerts about interactions with known phishing or scam addresses. The wallet prevents or alerts about interactions with known phishing or scam addresses.

The wallet only displays a symbol, such as a logo, but does not indicate when users interact with authenticated URLs.

The wallet does not warn users when they interact with an unknown or untrusted address.

The wallet displays the DApp origin URL in the 'Connect' dialog.

The wallet hides spam or scam tokens and NFTs sent to the address.

The waller clearly informs users that by connecting they are allowing the DApp to view their wallet address and balance, as well as to request transaction approvals