Phantom

The wallet requires user confirmation before processing each dApp request to all of the RPC endpoints.

The wallet requires user connection to access the RPC endpoints.

The wallet requires the user to unlock it before processing each request.

The wallet refuses to sign an EIP-712 object with a chainId that does not match the currently active chain.

The `eth_sign` method is disabled by default, and the wallet forces the user to cancel the request.

The wallet does not warn users of a domain or scheme mismatch when signing a SIWE message.

The wallet provides a list of connected dApps and offers users the option to revoke access to all of them or revoke them individually. This function works properly, effectively disconnecting from the selected dApp.

The wallet does not provide a built-in or third-party option to revoke token approvals.

The wallet switches chains without requesting user confirmation. Additionally, it does not offer a list of networks for the user to select or approve, limiting control over which networks the connected dApp can access.

The wallet accurately displays all transaction incomes and outcomes, including the NFT received when adding liquidity to the pool.

The wallet fails to clearly specify the token being approved or the exact spender in approval transactions. Instead, it displays a generic message, an unlabeled spender address, and raw hex data, making it difficult for users to interpret. Since it does not explicitly show the approved token and spender.

The wallet displays large messages in personal sign requests without truncation and it shows the verifying contract in the EIP-712 object.

The wallet attempts to parse EIP-712 objects.

The wallet prevents transactions from being sent to addresses with invalid checksums, whether entered manually or provided by a dApp. It also displays an "Invalid address" message when attempting to send a transaction manually.

The sign button is available from the start.

The wallet provides clickable links in both the transaction preview and history, but the links in the transaction preview do not function properly.

The wallet provides seed-phrase backup functionality and requires authentication to access mnemonics or private keys.

The wallet features a lock button to lock it manually in the settings menu.

The wallet provides an auto-lock timer and, by default, locks itself after 15 minutes of inactivity.

The wallet requires passwords to be at least 8 characters long, but does not prevent the use of easy-to-guess passwords such as 12345678.

The wallet correctly prevents mnemonics from being copied to the clipboard.

The wallet provides warnings to users about the risks of sharing or revealing their mnemonics or private keys to others.

The wallet displays a warning before connecting to these sites.

The wallet does not warn the user when attempting to send funds to a well-known phishing address, such as the Tornado Cash Attacker address.

Wallet does not inform the user when trying to connect to a well-known, verified url.

The wallet warns the user when attempting to send funds to an unknown address, but only when entering the address manually, not when using a dApp.

The wallet displays de dApp origin url in full.

The wallet effectively filters out spam and scam NFTs.

The wallet informs users within the connection dialog that connecting allows the dApp to view their wallet balance and activity but does not mention that the dApp will be able to request transaction approvals.