Rainbow

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet requires users to authenticate with their phone’s biometrics or passcode to process every request, as it is asking for biometrics/passphrase for every single transaction request.

The wallet does not refuse or warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet does not support the eth_sign method.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet successfully displays all incoming and outgoing assets in the transaction preview.

The wallet displays the effect, token, and token amount but does not clearly indicate the recipient of the token approval, requiring the user to browse the signature to locate it.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object under “More details.”

The wallet attempts to parse an EIP-712 object and warns the user that the transaction might fail.

The wallet rejects transactions with invalid checksum addresses, whether entered manually or through a dApp.

When presented with a large message in a personal sign request, the confirm button remains enabled at all times.

The wallet provides clickable links when attempting to send a transaction or querying the wallet history.

The wallet enforces authentication before showing mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet lacks an auto-locking system and remains always unlocked. However, it requires biometrics or a passcode to process requests or display the seed phrase.

The wallet supports biometric authentication, which is enabled by default; however, if the user has no biometrics configured on the device, the wallet prompts the user to set one up in order to proceed.

The wallet allows users to copy their mnemonic phrase to the clipboard indefinitely without warning them of the risks, and it also permits taking screenshots of the seed phrase.

The wallet warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet alerts about connections to known phishing dApps.

The wallet clearly warns the user when attempting to send a transaction to a known malicious address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known, verified dApp.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet truncates the dApp origin URL in the connection dialog.

The wallet shows spam or scam NFTs.

The wallet does not inform the user, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.