Okto

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet uses its own browser, called Hyperzone, which restricts users to a predefined list of dApps curated by the provider. Users can submit requests to add new dApps to the list.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet does not warn the user when attempting to sign an EIP-712 object whose chain ID does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not display any incoming or outgoing assets resulting from the execution of the transaction.

The wallet only displays the spender address within the approval preview; it does not show the token, amount, or effect of the approval.

The wallet truncates large messages in a personal sign while EIP-712 objects display the verifying contract.

The wallet does not parse EIP-712 objects and it also does not provide plain data.

The wallet refuses to send a transaction when providing addresses with invalid checksums (EIP-55 address checksum).

Sign buttons are enabled from the start.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

The wallet enforces authentication before displaying the mnemonics.

The wallet does not feature a manual lock button.

The wallet does not automatically lock after one minute of inactivity, when moved to background execution, or when the device is locked. It also lacks an option to configure the automatic lock time.

The wallet allows the use of easy-to-guess six-digit PINs, such as “111111,” and does not implement rate limiting for failed attempts. It supports biometric authentication.

The wallet allows copying mnemonics to the clipboard for an unlimited amount of time without issuing any warning about the risks of doing so. It also allows taking screenshots.

The wallet provides a basic warning about the risks associated with sharing or revealing mnemonics.

The wallet does not alert users about connections to known phishing dApps. In fact, it incorrectly displays a verified dApp message, misleadingly indicating that the site is secure.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet shows a verified badge for both legit and scam dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet does not show the dApp origin URL within the connection dialog.

The NFT section incorrectly labels both legitimate and scam/spam NFTs as spam, while tokens are successfully filtered out.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.