Tomo

The wallet requires user confirmation for every request.

The wallet requires a user connection for every request.

The wallet requires the user to unlock the wallet for every request.

The wallet refuses to sign an EIP-712 object with a chain id that does not match the currently active chain.

The `eth_sign` method is disabled by default.

The wallet did not emit any warnings to the user when signing a message with a domain or scheme mismatch.

The wallet displays a list of connected dApps and provides the option to disconnect from them either individually or all at once.

Wallet lacks built-in token allowance revocation. No in-app redirection to third-party services for this function was detected.

The wallet requires user confirmation before switching chains.

The wallet does not offer transaction simulation, as it is not displaying all the incomes and outcomes of the transaction.

The wallet displays the spender address, token, and amount but does not include the function. It is unclear who is receiving the approval, and it shows a large number instead of indicating 'Unlimited' for the amount of the token being approved.

The verifying contract is displayed in the EIP-712 object, and the wallet does not truncate large inputs in a personal sign request.

The wallet does not parse EIP-712 objects from well-known contracts and protocols.

The wallet successfully prevents the user from sending transactions with invalid checksum addresses in both scenarios, through the dApp and within the wallet itself.

The wallet forces the user to scroll down on large messages before signing in personal sign, though the Sign button is slightly clipped. This issue does not occur when signing an EIP-712 object.

The wallet provides a link to the dApp requesting the transaction in the transaction preview and displays the transaction hash in the wallet history.

The wallet provides seed-phrase backup functionality and requires authentication to access mnemonics.

The wallet features a lock button to lock it manually in the main menu.

The wallet does not have an auto-lock option in the settings menu, but it locks itself after 20 minutes of inactivity.

The wallet enforces an 8-character password with letters, numbers, and a special character, preventing easy-to-guess passwords like 11111111 or 12345678.

The wallet allows copying mnemonics to the clipboard for over a minute without providing any warning about the risks.

The wallet warns users about the risks of sharing mnemonics through an "Important" message, which is hidden by default, and reveals a warning when clicked.

The wallet effectively warns users within the connection dialog when they attempt to access a malicious dApp.

The wallet successfully warns the user about a deceptive address while trying to send funds to the Tornado Cash Attacker address.

The wallet does not inform the user when they are connecting to a well-known verified URL.

The wallet does not inform the user when attempting to send a transaction to an address that has not been previously interacted with.

The wallet displays the dApp URL in full within the connection dialog when attempting to connect.

The wallet does not display a list of NFTs owned by the user.

The wallet does not inform users about the permissions or actions the dApp will have after connecting.