OKX

Implements Wallet Connect and requires user confirmation before processing each DApp request.

The wallet includes an embedded browser and requires confirmation before processing any DApp request

The wallet lacked a locking feature, so this check could not be tested. However, users needed to enter the password to accept each request.

The wallet warns and blocks when signing EIP-712 messages if the chain ID differs from the currently active chain.

The wallet supports the eth_sign method but internally uses personal_sign, converting the input to bytes.

The wallet does not account for mismatches in the domain.

The wallet provides a list of connected DApps and offers the option to remove connections.

The wallet includes an in-app approvals feature, allowing users to select a token and revoke its approvals directly.

The wallet does not require user confirmation for chain switching, which happens instantly in both WalletConnect and the embedded browser. However, when connecting to the DApp, the connection dialog does display the available chains. To connect to a different chain, you must first add it to the wallet.

The wallet clearly displays the NFT received for providing liquidity to a pool, along with the POL and SUSHI amounts to be spent during the process, whether in the pool or a swap.

The wallet includes the contract address, token, effect, allowance, and contract spender address when interacting with 1inch.

The wallet includes all the necessary information. It displays a message indicating the verified contract, correctly parses the ERC-20 permit, and blocks it.

The wallet parses EIP-712 objects for well-known contracts or protocols, such as detailed USDC ERC-20 permits, and doesn't parse the OpenSea Seaport listings.

The wallet allows transactions to addresses with invalid checksums both through dApps and within the app.

The wallet allows the user to sign data before reviewing it.

The wallet includes clickable links in the transaction history, but not during the process of sending a transaction.

After clicking the "Seed Phrase" button, the wallet shows the warnings and then requires a password to display mnemonics/private keys.

The wallet lacks a manual lock button but includes a "delete wallet" option.

The wallet does not lock automatically when the app is minimized, closed, or left idle, and it also lacks a settings option to enable an auto-lock feature.

The wallet supports biometric authentication and enforces it as the only authentication method.

The wallet does not allow copying the seed phrase or taking screenshots as it protects it with a black screen.

The wallet displays a user-friendly interface that requires users to answer questions before showing the mnemonics. This clearly demonstrates the application's efforts to prevent users from sharing their mnemonics.

The wallet does not display a warning after scanning the WalletConnect QR code from sites like: https://arbitrum-token-bridge-cqjggprvn-offchain-labs.vercel.app/

The wallet warns and block the user about a deceptive address while sending funds to the Tornado Cash Attacker address.

The wallet provides no indication of verification when connecting to UniSwap or 1inch, leaving users uncertain if the DApp is trusted.

The wallet does not warn users when they interact with an unknown or untrusted address.

The wallet truncates the domain of the DApp: https://arbitrum-token-bridge-cqjggprvn-offchain-labs.vercel.app/

The wallet displays spam tokens in addition to legitimate ones.

The wallet informs the user, within the connection dialog, that by connecting they are allowing the DApp to view their wallet balance and activity, as well as to request transaction approval.