Frame

The wallet requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet requires user connection to grant dApp access to the following RPC endpoints: eth_accounts, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not have a locking mechanism, if we quit the app, the bypass is showing as not connected. If the app is open, it requires the signer to input the password before processing each request.

The wallet does not refuse or warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not display all incoming and outgoing assets during a swap or liquidity pool addition on Uniswap.

The token, amount, effect and spender address are available in the approval transaction view.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet does not parse EIP-712 objects and instead displays the raw, unparsed data.

The wallet refuses to process a transaction when providing addresses with invalid checksums (EIP-55 address checksum).

Sign buttons are always enabled.

The wallet does not provide links during transactions or offer a transaction history view.

The wallet does not have a seed-phrase backup functionality.

The wallet does not feature a manual lock button.

The wallet does not lock itself after 20 minutes of inactivity and lacks an auto-lock system. However, it always requires the password (hot signers) to process requests.

The wallet enforces the use of a strong password with a minimum length of twelve characters.

The wallet does not have a seed-phrase backup functionality.

The wallet does not have a seed-phrase backup functionality.

The wallet does not alert users about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet truncates the dApp origin URL within the connection dialog.

The NFTs section seems broken, and it successfully filters out spam or scam tokens.

The wallet does not inform users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.