MetaMask

The wallet requires user confirmation for every request.

The wallet requires user connection for every request.

The wallet requires user unlock the wallet to process any request

The wallet refuses to sign an EIP712 object with a chainId that does not match the currently active chain.

The wallet has the eth_sign method disabled by default.

Wallet successfully warns the user when signing a message with domain or scheme mismatch.

Wallet displays the list of connected DApps and allows connection removal. The functionality is working properly.

The wallet includes the ability to revoke token approvals, which can be accessed through the portfolio page.

The wallet asks for user confirmation before switching chains.

The wallet provides a detailed transaction simulation, clearly displaying all expected incomes and outcomes before execution.

The wallet clearly displays the spender's address. It identifies the token being approved as WPOL but does not show the contract address for custom tokens. The spending cap is clearly stated as "Unlimited WPOL." There is no warning about the risks of unlimited approvals.

The wallet does not truncate the message when performing a personal sign with a large message. It also displays the EIP-712 verifying contract.

The wallet correctly parses EIP-712 objects for well-known contracts and protocols such as Opensea Seaport listings, ERC-20 Permits, and Uniswap positions instead of displaying plain JSON. It provides a structured view that helps users understand what they are signing rather than just showing raw data.

Wallet successfully warns the user when trying to send a transaction with invalid checksum.

The confirm button is always enabled.

The wallet includes clickable links in history and approves, but lacks them during transactions.

The wallet provides seed-phrase backup functionality and requires authentication to access mnemonics or private keys.

The wallet features a lock button to lock it manually in the main menu.

Automatic lock option is disabled by default.

The wallet requires passwords to be at least 8 characters long but does not prevent the use of easy-to-guess passwords such as 12345678.

The wallet allows users to copy mnemonics to the clipboard indefinitely and does not warn them about the risks of doing so.

The wallet includes a short test with two questions to educate users about the risks of sharing mnemonics or private keys. It also provides a clear warning not to share them with anyone.

MetaMask maintains a blacklist of DApps and warns users before they attempt to access them.

The wallet successfully warns the user about a deceptive address while trying to send funds to the Tornado Cash Attacker address.

Wallet inform the user when trying to connect to a well-known, verified url.

The wallet offers the chance to asign nicknames to unknown addresses.

The wallet truncates large URLs, but the window can be resized to view it in full.

The wallet does not display either legitimate or scam NFT tokens.

The wallet informs the user, within the connection dialog, that by connecting they are allowing the DApp to view their accounts, as well as to suggest transactions.