Gem

The wallet supports Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not implement embedded browser.

If passcode is enabled, the wallet requires wallet unlock in order to process wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign and eth_sendTransaction methods.

The wallet allows and does not warn the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet could not recover address, meaning that the eth_sign method is disabled.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not offer transaction simulation.

The wallet fails to provide any significant information within an approval transaction view.

The wallet does not truncate large messages in a personal sign, but the message is visually clipped by the approve button, making some text unreadable. The EIP-712 object, on the other hand, is displayed as raw data but includes the verifying contract.

The wallet does not parse EIP-712 objects and instead displays the raw, unparsed data.

The wallet does not warn users when manually entering an address with invalid checksums (EIP-55) and does not display any warning when the address is provided through a connected dApp.

Sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

If biometrics are enabled, the wallet enforces authentication before displaying the mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet can be configured without any passcode, meaning it remains unlocked by default. However, if a passcode is activated, the wallet auto-locks itself by default after one minute of inactivity.

The wallet allows users to configure a passcode and enable biometrics, but this security feature is disabled by default. Users must manually activate it via the Security section in the settings menu, which could leave the wallet more vulnerable if users overlook enabling it. Enabling by default or prompting setup during onboarding would improve security posture.

The wallet allows copying mnemonics to the clipboard without time restrictions, but it prevents users from taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics or private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet truncates the dApp origin URL within the connection dialog.

The NFTs section appears to be broken, as it fails to display any NFTs. The wallet only shows a predefined token listing.

The wallet does not inform users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.