Exodus

The wallet has Wallet Connect and requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet enforces user confirmation for every request. While `wallet_watchAsset` and `wallet_addEthereumChain` may return a success response when bypassed, the wallet does not actually add the requested asset or chain.

The wallet does not process any requests while in a locked state. Once unlocked, it does not display or resume any of the requests that were made prior to unlocking.

The wallet refuses to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet has eth_sign enabled and working.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or through links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not offer transaction simulation.

The wallet only provides the spender address.

The wallet does not truncate large messages in a personal sign, but it does not display the verifying contract in an EIP-712 object.

The wallet does not parse EIP-712 objects and instead displays the raw, unparsed data.

The wallet does not warn or block transactions to addresses with invalid checksums when using a dApp. However, it does provide warnings and prevents the transaction when the address is entered manually.

Sign buttons are always enabled.

The wallet includes clickable links when viewing the wallet history, but it does not provide any within the transaction preview when attempting to send a transaction.

The wallet allows users to complete the setup process without enabling biometrics or setting up a passphrase. Additionally, it does not proactively suggest adding a passphrase for enhanced security. As a result, users can access and view their mnemonics without being prompted for any form of authentication. If biometrics or a passphrase is configured, it will ask for user authentication before showing the seed phrase.

The wallet does not feature a manual lock button.

Passphrase or biometrics are disabled by default, meaning the wallet remains unlocked if not configured. Once configured, the wallet locks after one minute of inactivity.

The wallet does not enable biometrics or passphrases by default. Users must manually configure these options in the settings, starting with setting up a passphrase before enabling biometrics. It allows an easy-to-guess passphrase that rate-limits failed authentication attempts to 5, after which a 2-minute cooldown period is enforced.

The wallet does not allow copying mnemonics to the clipboard and also prevents users from taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet displays the full dApp origin URL, without truncation, within the connection dialog.

The wallet hides spam or scam tokens and NFTs sent to the wallet.

The wallet does not inform users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.