OneKey

The wallet requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser, it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect, and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet refuses to allow users to sign an EIP-712 object if its chain ID does not match the currently active chain.

The wallet supports and allows eht_sign method.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows users to revoke access either individually or all at once.

The wallet allows users to revoke token approvals through its built-in in-app functionality.

The wallet allows switching chains without requiring user confirmation.

The wallet leverages transaction simulation, displaying all incoming and outgoing assets of the transaction before execution.

The wallet clearly displays the effect, token, amount, and spender address in the approval transaction.

The wallet does not truncate any information when signing a personal sign request with a large message and also displays the verifying contract for EIP-712 objects.

The wallet attempts to parse EIP-712 objects for well-known contracts or protocols.

The wallet warns users when manually entering an address with invalid checksums and also rejects the transaction when the address is provided through a dApp.

The sign button remains enabled at all times, even before scrolling through a large message in a personal sign request.

The wallet provides clickable links within the wallet history but not in the transaction preview.

The wallet requires user authentication before displaying the mnemonic.

The wallet features a manual lock button with a lock icon within its sign-in/login menu.

The wallet has a default auto-lock time of four hours. It does not lock when moved to background execution, locking only after the app is fully closed.

The wallet allows easy-to-guess six-digit PINs such as 111111 and includes an optional rate limit of 10 attempts, resulting in a wallet reset. However, if the user opts out, there are unlimited attempts. It also supports biometric authentication.

The wallet allows users to copy mnemonics to the clipboard but provides a clear warning about the associated risks.

The wallet displays a clear warning about the risks of sharing mnemonics before revealing the secret phrase to the user.

The wallet effectively warns users when they attempt to access a malicious dApp.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet displays a green checkmark icon in the connection dialog, indicating that the user is connecting to a well-known, verified dApp.

The wallet does not warn users when interacting with an unknown or untrusted address through a dApp transaction, but it does show a warning when sending it manually.

The wallet displays the full dApp origin URL, even for long URLs, without truncation.

The wallet successfully filters out spam and scam NFTs and tokens from its lists.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.