TokenPocket

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet neither refuses nor warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The eth_sign method is disabled by default.

The wallet warns users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet provides a built-in revoke approvals feature through a well-designed interface, allowing users to easily review and revoke existing token approvals.

The wallet does not process requests to an endpoint if the network is not included in the list of predefined networks.

The wallet does not provide a transaction simulation when attempting to sign or before executing a transaction.

The wallet provides a clear interface for users to review an approve transaction, showing token, amount, effect and spender address.

The user can scroll through lengthy messages to review the data before signing. The wallet also displays the verifying contract when signing an EIP-712 message.

The wallet does not parse OpenSea EIP-712 objects but it does parse ERC20 token permits.

The wallet does not warn users when providing addresses with invalid checksums (EIP-55 address checksum).

Sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history but does not provide any within the transaction details view.

The wallet requires authentication before revealing mnemonics or private keys.

The wallet does not feature a manual lock button.

The wallet does not auto-lock by default; users must manually enable the app lock feature to activate it. When enabled, the default inactivity timeout for auto-locking is set to 5 minutes.

The wallet allows easy-to-guess eight-digit passwords without rate-limiting login attempts. It also supports biometric authentication.

When attempting to copy mnemonics, the wallet displays a clear warning message about the risks of sharing them and also prevents users from taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics or private keys.

The wallet does not alert about connections to known phishing dApps.

The wallet does not warn or prevent users from interacting with a known phishing address, such as the Tornado Cash attacker.

The wallet does not inform users when they are interacting with well-known dApps.

The wallet does not warn users when interacting with an unknown or untrusted address through a dApp, but it does display a warning when attempting to send a transaction manually.

The wallet displays the dApp URL in full, without truncation, within the connection dialog.

The wallet fails to filter out spam or scam NFTs sent to the wallet.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.