Phantom

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect through the embedded browser and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet refuses to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet offers transaction simulation, clearly displaying all incoming and outgoing assets involved in the transaction.

The wallet clearly provides the token, amount, effect and the spender address within an approval transaction view.

The wallet does not truncate any information when signing a personal sign request with a large message and also displays the verifying contract for EIP-712 objects.

The wallet parses and displays the details when attempting to sign an EIP-712 object.

The wallet refuses to process a transaction when providing addresses with invalid checksums (EIP-55 address checksum).

Sign button is always enabled.

The wallet provides clickable links when attempting to send a transaction and while querying the wallet history.

The wallet offers the option to enable biometric authentication during the initial setup; however, if the user opts out, it does not enforce authentication before revealing the mnemonics. When biometric authentication is enabled, the wallet enforces authentication before revealing them.

The wallet does not feature any manual lock button.

The wallet offers the option to enable biometric authentication during the initial setup; however, if the user opts out, the wallet remains permanently unlocked. If biometric authentication is enabled, the wallet automatically locks when sent to background execution.

The wallet supports biometric authentication but does not require the user to set up a PIN or password.

The wallet displays a warning about the risks of copying mnemonics to the clipboard but does not restrict users from taking screenshots of them.

The wallet displays a clear warning about the risks of sharing or revealing mnemonics or private keys before allowing the user to view them.

The wallet will not allow dApp connection when visiting a dApp flagged as malicious by the browser.

The wallet successfully warns users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApps.

The wallet does not warn users when they are not interacting with a previously known or trusted address while sending a transaction within the dApp, but it does warn when attempting to send a transaction manually.

The wallet displays the dApp url in full within the connection dialog.

The wallet’s NFT section does not display any NFTs, and while it filters out some scam or spam tokens, the filtering is not comprehensive.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, but not to request transaction approvals.