TokenPocket

It does require user confirmation before precessing the requests.

The wallet requires user connection to access the RPC endpoints.

It requires users to unlock the wallet to process requests from dApp to all the RPC endpoints.

The wallet allows to sign an EIP-712 message with a chainId that does not match the currently active chain.

The eth_sign method is disabled by default. You need to activate it in the advanced settings.

The wallet does not warn the user of a domain or scheme mismatch when signing a SIWE message.

The wallet provides a list of connected dApps and offers users the option to revoke access to all of them or revoke them individually. This function works properly, effectively disconnecting from the selected dApp.

The wallet offers the ability to list and revoke token approvals via in-app functionality

The wallet does not require user confirmation before switching chains.

The wallet fails to provide all the incomes and outcomes of the transaction.

It shows the token, the amount, the spender contract address and the effect.

The wallet displays large messages in personal sign requests without truncation, but fails to show the verifying contract in the OpenSea contract EIP-712 object.

The wallet displays plain data instead of parsing the EIP-712 object.

The wallet warns the user when attempting to manually send a transaction with an invalid checksum address and also blocks such transactions within the dApp.

The sign button is available from the start.

The wallet provides clickable links in the history but not in the transaction preview.

The wallet provides seed-phrase backup functionality and requires authentication to access mnemonics or private keys.

The wallet features a lock button to lock it manually in the settings menu.

The wallet does not offer any auto-lock options and does not lock itself after 20 minutes of inactivity.

The wallet requires passwords to be at least 8 characters long, but does not prevent the use of easy-to-guess passwords such as 12345678.

The wallet allows users to copy mnemonics to the clipboard but provides a warning about the risks involved.

The wallet warns users about the risks of sharing or revealing their mnemonics or private keys through a mini quiz, where the user must check all fields.

No warning or alerts emitted while trying to connect to phishing dApps.

The wallet does not warn the user when interacting with a well-known scamming address, such as the Tornado Cash Attacker address.

The wallet does not feature a verified domain indicator for well-known dApps.

The wallet does not inform the user that he is interacting with an unknown address.

The wallet displays the full URL of the dApp without truncation.

The wallet is showing both, spam and legit NFTs.

The wallet's connection dialog provides no information about granting the dApp access to view the wallet balance, activity, or request transaction approvals.