imToken

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and requires users to unlock it to process requests from dApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet neither refuses nor warns the user when attempting to sign an EIP-712 object whose chain ID does not match the currently active chain.

The wallet allows signing of eth_sign method, but it seems to be broken.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet allows only one dApp connection at a time. It provides an option to disconnect from the current dApp and includes a settings option to disconnect from all connected dApps.

The wallet does not offer the ability to list or revoke token approvals, either through in-app functionality or via links to external dApps.

The wallet requires user confirmation before processing the wallet_switchEthereumChain RPC request from the dApp.

The wallet leverages transaction simulation, displaying all incoming and outgoing assets involved in the transaction.

The wallet effectively provides the token, effect, amount and spender address.

The wallet displays the verifying contract in an EIP-712 object but truncates large messages in personal sign requests.

The wallet attempts to parse the EIP-712 object, though its interpretation is not very accurate or clear within an OpenSea listing. However, it does successfully parse the data in an ERC-20 permit.

The wallet warns the user and rejects transactions sent to addresses with invalid checksums, whether entered manually or through a dApp.

The sign button is always enabled.

The wallet includes clickable links in the wallet history but not in the transaction preview.

The wallet enforces authentication to display the mnemonics or private keys.

The wallet offers an App Lock feature that automatically locks the wallet when it is sent to background execution or the app is closed, but it does not include a manual lock button.

The wallet automatically locks when the device is locked or after one minute of being in background execution, but the App Lock option is disabled by default.

The wallet allows easy-to-guess passwords such as 11111111 and does not rate-limit login attempts after the fifth try. It also supports biometric authentication.

The wallet does not allow users to copy mnemonics to the clipboard and warns them about the risks of taking screenshots.

The wallet successfully warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet does not always alert the user about connections to known phishing dApps, but it does have a Security Center alerts that warns users about potentially malicious dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker, when trying to send through Polygon, but it does display a warning when attempting to send through Ethereum.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they interact with an address that is not previously known or trusted if the transaction is sent through a dApp, but it does show an indicator when sending it manually.

The wallet truncates the dApp origin URL in the connection dialog.

The wallet filters out scam and spam tokens, but the NFT section does not display any NFTs.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.