Trust Wallet

The wallet has Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser and it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from dApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet refuses to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet does not support the eth_sign method.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet offers the ability to list and revoke token approvals via in-app functionality.

The wallet does not allow processing the wallet_switchEthereumChain RPC request from the dApp if the network has not been accepted under the connection dialog.

The wallet fails to show incomes and outcomes of a transaction.

The wallet shows the spender address and the effect, but not the token or amount.

The wallet does not truncate large messages when signing a personal sign request and also displays the verifying contract of an EIP-712 object.

The wallet displays the EIP-712 object as plain, unparsed data.

The wallet allows users to send a transaction with addresses with invalid checksums (EIP-55 address checksum).

Sign button is always enabled.

The wallet provides clickable links within the wallet history but not in the transaction preview.

Users can opt out of setting a passcode, and if they do, the seed phrase can be accessed without requiring authentication. Although if passcode is enabled, it forces authentication.

The wallet does not feature a manual lock button.

The wallet auto-locks itself immediately by default when moved to background execution.

The wallet allows easy-to-guess six-digit passwords such as 111111, but it rate-limits failed attempts to five. It also supports biometric authentication.

The wallet does not allow copying mnemonics to the clipboard and also prevents the user from taking screenshots.

The wallet warns users about the risks associated with sharing or revealing mnemonics/private keys.

The wallet attempts to warn users about connections to known phishing dApps.

The wallet does not prevent or alert about interactions with known phishing or scam addresses.

The dApp includes a feature to inform users about verified domains, but it is currently malfunctioning, incorrectly marking a phishing site as verified.

The wallet does not warn users when they are not interacting with a previously known or trusted address.

The wallet displays the dApp origin URL in full, without truncation, within the connection dialog.

The wallet fails to hide spam or scam NFTs sent to the wallet.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.