MEW Wallet

The wallet implements Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet skips user confirmation for `eth_decrypt` and `eth_getEncryptionPublicKey` RPC methods.

The wallet implements Wallet Connect and it requires users provide their passphrase before it processes requests from dApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not refuse or warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected DApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not display any incoming or outgoing assets resulting from the execution of the transaction.

The wallet does not provide any relevant information within its views during an approval transaction.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet does not parse EIP-712 objects and instead displays the raw, unparsed data.

The wallet does not process the transaction through the dApp when using an address with an invalid checksum, but it does allow sending it manually.

The sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

The wallet enforces authentication before displaying the mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet does not lock itself after 1 minute of being sent to background execution and it does not provide an auto-lock setting. The wallet only auto-locks instantly after being fully closed.

The wallet allows an easy-to-guess six-digit passphrase like “111111,” but it rate-limits failed attempts to five, with a five-minute cooldown. It also supports biometrics.

The wallet does not allow users to copy mnemonics to the clipboard and prevents taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics or private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet displays the dApp origin URL in full, without truncation within the connection dialog.

The wallet successfully hides spam or scam NFTs, but it shows spam or scam tokens.

The wallet informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, but not that it can request transaction approvals.