Ctrl Wallet

Although the bypass indicates the watch asset endpoint was successful, the asset does not appear in the token list.

The wallet skips user connection on `eth_signTypedData` and `personal_sign` endpoints.

Although the bypass indicates the watch asset endpoint was successful, the asset does not appear in the token list.

The wallet blocks transactions to invalid checksum addresses on all networks except Ethereum, where it still allows them.

The wallet does not process the request, meaning the `eth_sign` method is disabled by default. Users can enable it in the settings, and the wallet provides a clear explanation of why this is not recommended.

The wallet does not warn users of a domain or scheme mismatch when signing SIWE message.

The wallet provides a list of connected dApps and offers users the option to revoke access to all of them or revoke them individually. This function works properly, effectively disconnecting from the selected dApp.

The wallet relies on a third-party service and provides a link to revoke.cash within its settings menu to remove token approvals.

The wallet switches chains without requiring user confirmation.

The wallet does not display incoming or outgoing assets when adding liquidity to a Uniswap pool but does show incomes and outcomes during a swap in Sushiswap.

The wallet successfully displays critical approval details, including the function call, spender’s contract address, approved amount, and granting account, but the information is not presented in a clear way.

The wallet displays large messages in personal sign requests without truncation and shows the verifying contract in the EIP-712 object.

The wallet displays EIP-712 objects as plain data without parsing them.

The wallet does not allow sending transactions to addresses with invalid checksums, whether entered manually or provided by the dApp.

The sign button is available from the start.

The wallet provides clickable links in both historical transactions and transaction previews.

The wallet requires the user to enter their password before revealing the recovery phrase or private key.

The wallet provides a manual lock button in the settings menu.

The wallet offers an auto-lock feature, but it is disabled by default.

The wallet enforces an eight-digit password and does not permit easily guessable ones like “12345678.”

The wallet allows copying mnemonics or private keys to the clipboard without providing a proper warning about the risks and does not limit the time these secrets remain in the clipboard.

The wallet displays a clear warning about the risks of sharing mnemonics and private keys before revealing them. It also requires the user to tick a box confirming they won't share them with anyone.

The wallet includes a helpful feature that prevents users from connecting to dApps flagged as malicious.

The wallet warns users when attempting to send funds to known phishing addresses, such as the Tornado Cash Attacker address when using the dApp only when using Wallet Connect method, but when trying to send transaction using the native methods, it fails to prompt any warnings.

If the connected dApp is verified, the wallet displays a black shield with a checkmark to indicate that the site can be trusted. When attempting to connect to a dApp for the first time that hasn't been verified, a shield with a question mark is shown, warning the user that the site could not be verified. However, if the user has previously interacted with the dApp, the wallet displays a message reassuring them that it's safe to connect.

The wallet does not warn the user when trying to send funds to an unknown address.

The wallet does not truncate the URL of the dApp the user is attempting to connect to.

The wallet effectively filters out spam and scam NFTs.

The wallet informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.