Okto

Every RPC endpoint still requires user confirmation before processing any request.

The wallet requires users to confirm all requests before processing them.

It forces the user to unlock the wallet for all the requests before processing them.

The wallet allows signing an EIP-712 object even when the chainID doesn’t match the active chain and provides no warning about the mismatch.

The eth_sign method is disabled by default, as the wallet uses personal_sign instead, converting the message to bytes.

The wallet does not provide a specific warning when signing Sign-In with Ethereum (SIWE) messages.

The wallet shows a list of all DApps currently connected via WalletConnect and offers an option to revoke access. It also features a timer that automatically disconnects DApps after a set duration.

The wallet lacks a built-in feature for token allowance revocation and does not redirect users to third-party services for this purpose.

The wallet skips user confirmation when attempting to switch the chain

The wallet does not utilize transaction simulation and fails to display the incoming and outgoing assets of transactions.

The approval screen lacks details such as the amount, token, effect, and spender, making it difficult for users to fully understand the transaction.

The “show more” button works as intended and reveals the full message, but it doesn’t allow users to scroll through the content, and the message cannot be signed. For eth_signTypedData requests, such as Permit or OpenSea contracts, no data is shown.

The wallet doesn't parse EIP-712 objects for well-known contracts and protocols, such as OpenSea Seaport listings and ERC-20 Permits.

The wallet prevents transactions to addresses with invalid checksums, but does not clearly inform the user—only briefly displaying an alert.

The confirm button is always enabled.

The wallet displays clickable links in the transaction history but does not provide them during the transaction process.

The wallet requires biometric authentication or a passphrase to reveal the seed phrase.

The wallet does not include a manual lock button but does provide an option to remove the account.

The wallet doesn’t automatically lock after 1 minute of background activity or when the device is locked; it only locks upon being fully closed. There’s no setting to adjust the auto-lock duration.

The wallet enforces a 6-digit passphrase but accepts simple ones like 123456 and lacks rate limiting for incorrect entries. Biometrics are enabled by default.

The wallet permits both taking screenshots and copying the seed phrase to the clipboard without offering any warning about the associated risks and doesn't limit the time are present in the clipboard.

The wallet shows a warning about the risks of sharing the recovery phrase, though it lacks detail and clarity.

The wallet omits the dApp’s URL-specific name and displays only the primary domain. For instance, if a phishing dApp is hosted on a Vercel subdomain, it misleadingly shows “Vercel” as the origin. It also wrongly displays a green checkmark, suggesting the site is verified, which can easily mislead users into trusting malicious dApps.

The wallet does not alert the user when attempting to send a transaction to the Tornado Cash attacker address.

The wallet incorrectly shows a green checkmark on every connection dialog, falsely suggesting that all DApps are verified. This could mislead users into trusting unverified or potentially malicious DApps.

The wallet does not display any message when interacting with an address for the first time.

The wallet truncates the URL in the connection dialog, showing only the main domain of the DApp. This hides important details like subdomains, which phishing sites can exploit to mimic legitimate platforms. For example, it displays only “VERCEL” for https://arbitrum-token-bridge-cqjggprvn-offchain-labs.vercel.app/.

The wallet doesn’t display NFTs but does filter spam tokens, placing them in a separate “Spam Tokens” tab.

The wallet notifies users that the DApp will be able to view their balances and activity, as well as request transaction approvals.