Rabby Wallet

The wallet has Wallet Connect through the browser, and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect through the browser, and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet refuses to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet does not support the eth_sign method.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet does not display a list of all connected dApps but allows users to revoke access directly within each dApp.

The wallet offers a built-in feature to revoke token approvals.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet clearly displays all incoming and outgoing assets involved in the transaction when adding liquidity to a pool on Uniswap.

The wallet clearly displays the effect, token, amount, and spender address in the approval view.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet parses EIP-712 objects for well-known contracts and protocols.

The wallet does not warn or block transactions to addresses with invalid checksums when using a dApp. However, it does provide warnings and prevents the transaction when the address is entered manually.

The sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

The wallet requires authentication to display the mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet does not lock when the device is locked or when the app moves to background execution. It also lacks an option to auto-lock after less than five minutes of inactivity.

The wallet allows easy-to-guess eight-digit passwords such as 11111111, and while it rate-limits failed attempts to five, the mechanism appears bugged — after the one-minute cooldown, users can retry an unlimited number of times. It also supports biometric authentication. Note: This check is marked as failed due to the ineffective rate-limiting behavior.

The wallet allows copying mnemonics to the clipboard for an unlimited amount of time without warning users about the associated risks, but taking screenshots is not permitted.

The wallet displays a clear warning about the risks of sharing mnemonics or private keys.

The wallet does not seem to be blocking phishing sites but it does not prompt the wallet name within the Wallet Connect connection dialog.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet displays a green shield with a checkmark to indicate that they are interacting with a well-known, verified dApp.

The wallet warns users when they are not interacting with a previously known or trusted address.

The wallet shows the dApp origin URL in full, without any truncation.

The wallet does not filter out scam or spam NFTs.

When connecting to a dApp, the connection dialog does not inform users that they are allowing the dApp to view their wallet balance and activity or request transaction approvals.