Phantom

Implements Wallet Connect and requires user confirmation before processing each DApp request.

The wallet has an embedded browser and requires user confirmation before processing each DApp request.

Implements WalletConnect and, when in a locked state, requires users to unlock the wallet before processing requests. This behavior was tested using a delayed method through the embedded browser connected via WalletConnect.

The wallet refuses to sign EIP-712 messages when the chain ID doesn't match the currently active chain.

The 'eth_sign' method is disabled by default, the wallet used personal_sign, converted to bytes.

The wallet doesn't warn users of domain or scheme mismatches when signing an EIP-4361 message.

It shows all connected DApps and also the chance to revoke access to them

The wallet lacks the functionality to revoke tokens approvals

It doesn´t require user confirmation before processing the method

Clearly inform the expected inputs and outputs from the execution of such transaction.

It includes contract address, token, effect, allowance, and contract spender address

Wallet displays all the information including the Domain with verifying Contract and the personal_sign with a large message.

The wallet parses EIP-712 objects for well-known contracts/protocols, like detailing Opensea Seaport listings or ERC-20 Permits

In the app, the Wallet successfully warns the user when providing an address with invalid checksums and in WC, it doesn't display a warning but prevents you from sending a transaction.

The sign button is available from the beginning and the information is truncated (it's necessary to click on it to display the full content).

The wallet includes clickable links in the transaction history and during the process of sending a transaction.

After accepting the warning and clicking “Continue,” the wallet prompts for a PIN (if activated) to display the secret words or private keys. By default, since authentication is not required, it shows a confirmation message asking whether the user is sure they want to proceed.

The wallet doesn't have a "Lock" button. Instead, it has a "Reset App" button.

By default, the wallet does not require any security measures, so it lacks automatic locking after inactivity (one minute or less), when the device is locked, or when the app is moved to the background. However, if you enable the security PIN, the auto-lock feature activates immediately when the app is moved to background execution.

The wallet gives you the option to lock it using Face ID or your phone's PIN, but it doesn't force you to use this feature. Additionally, it doesn't have the option to set a password.

The wallet allows users to copy mnemonics despite this warning, exceeding a minute without restrictions. It does not alert users about the risks of taking screenshots or prevent screenshot capture.

The wallet displays multiple warning messages about the risks of sharing mnemonics or private keys. These alerts appear both before and during the mnemonic viewing process.

The wallet does not alert users about connections to known phishing dApps like https://cloudharchive.pages.dev/

The wallet does not alert users about interactions with known phishing or scam addresses like the Tornado Cash attacker address.

The wallet doesn't inform users when they are interacting with well-known, verified URLs (DApps) like Uniswap.

The wallet clearly warns users when they interact with an unknown or untrusted address.

The wallet displays the full URL of the DApp to which we are currently connecting.

The wallet hides spam or scam tokens and NFTs.

The wallet displays a message alerting the user that the DApp can view balances and activities, but it does not mention that it can also request transaction approvals.