Rabby Wallet

The wallet implements Wallet Connect through the embedded browser and requires user confirmation before processing each DApp request to the following RPC endpoints. It displays a success alert for adding chain methods but doesn't execute these changes within the wallet.

The wallet includes an embedded browser. It prompts users for confirmation before processing each DApp request.

When attempting to test with the delayed RUN AUTH button, locking the wallet causes the connection with the dApp to break. It displays a success alert for adding chain methods but doesn't execute these changes within the wallet.

The wallet refuses to attempt to sign an EIP-712 object with a chainId that does not match the currently active chain.

The 'eth_sign' method is disabled by default

The wallet doesn't warn users of domain or scheme mismatches when signing an EIP-4361 message.

The wallet does not display a list of all connected dApps but allows users to revoke access directly within each dApp.

The wallet can clearly list and revoke token approvals via in-app functionality.

Does not require user confirmation before processing the switchChain method, and the connect dialog shows the connected chain.

The wallet clearly displays the NFT received when contributing liquidity to a pool, as well as the incomes and outcomes when performing a swap.

Includes the contract address in Token Approval ("view Raw" button), the token, effect, allowance, and contract spender address.

There is a verification contract present in the displayed object, and it does not truncate large input messages during a personal signature.

The wallet parses EIP-712 objects for well-known contracts/protocols, like detailing Opensea Seaport listings or ERC-20 Permits

With the dApp, the wallet rejects requests containing addresses with invalid checksums. It does not process transactions with improperly formatted addresses. However, the "Send" button of the app allows sending a transaction with an invalid checksum. When performing the transaction with WalletConnect, the wallet corrected the address and allowed the transaction to be sent.

The wallet displays truncated message content. The sign button is immediately available without the need to review the entire message.

The wallet omits clickable links during the transaction sending process, but not in the transaction history.

After clicking the 'Backup Seed Phrase' button, the wallet requires a password to display the mnemonics or private keys.

The wallet lacks a manual lock feature. Instead, it offers a "Delete account" button.

The wallet does not automatically lock after 1 minute of inactivity when the device gets locked, or when the app is moved to background execution. While you can set an auto-lock time, the minimum duration is 5 minutes. It will automatically lock after 24 hours of inactivity.

Allows weak passwords (e.g., 12345678) and doesn't block further attempts after the fifth failed password attempt. Face ID can be enabled; however, it is not exclusive, as users can still enter the password at any time.

The wallet prevents screenshot capture. Attempted screenshots result in a solid-colored image with a "Safety Alert", protecting sensitive data. However, copying is allowed, and the copied information remains in the clipboard for over a minute without a warning. After entering the password, the next screenshot is the solid-colored image

After the confirm button and under solid color, there is a "Safety Alert" and above the mnemonics display, there is a warning about the risks of sharing mnemonics and private keys. The wallet alerts users about taking screenshots and sharing mnemonics but doesn't warn against copying the mnemonics.

The wallet doesn't alert about connections to unknown dApps or known phishing DApps. For example in the screenshots,https://main--wallettesting.netlify.app and https://arbitrum-token-bridge-cqjggprvn-offchain-labs.vercel.app/

The wallet does not alert users about interactions with known phishing or scam addresses.

The wallet informs users when they are interacting with well-known, verified URLs (DApps) with a level of site popularity like Uniswap

The wallet alerts users when interacting with unfamiliar or untrusted addresses. It prevents signing transactions after users dismiss these warnings.

The wallet displays the DApp origin URL in the 'Connect' dialog.

The wallet by default doesn't hides spam tokens, legitimate tokens, or NFTs;

The wallet does not display the permissions granted to DApps during the connection process.