Uniswap

The wallet implements Wallet Connect and it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet lacks an embedded browser.

If biometrics are enabled, the user is prompted to unlock the device for every single transaction.

The wallet does not refuse or warns the user when attempting to sign an EIP-712 object with a chainId that does not match the currently active chain.

The wallet does not support the eth_sign method, as the request consistently times out.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not offer the ability to list and revoke token approvals, via in-app functionality or links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet does not display all incoming and outgoing assets during a liquidity pool addition.

The approval transaction view displays the token and token address but it fails to provide amount, effect and spender address.

The wallet does not truncate large messages when signing a personal sign request but it fails to display the verifying contract of an EIP-712 object.

The wallet does not parse OpenSea EIP-712 objects but it does offers parsing on ERC20 permits.

The wallet rejects transactions when providing addresses with invalid checksums (EIP-55 address checksum), either entered manually or sending them through the dApp.

Sign buttons are always enabled.

The wallet includes clickable links when viewing transaction history and also within the transaction details view.

The wallet enforces authentication before displaying mnemonics or private keys.

The wallet does not include a manual lock button.

The wallet offers an immediate lock option when the app is sent to background execution or when the device gets locked, but this option is disabled by default.

The wallet does not require users to set up a passphrase. It supports biometrics, which users can opt out of, leaving the app unlocked. However, it clearly warns that this choice poses significant security risks.

The wallet allows copying mnemonics to the clipboard and taking screenshots without providing any explicit warning about the associated risks.

The wallet warns users about the risks associated with sharing or revealing mnemonics or private keys.

The wallet alerts users about connections to known phishing dApps, but the feature is not working properly, as some known phishing dApps are incorrectly marked as verified.

The wallet blocks a transaction to a known malicious address, such as the Tornado Cash attacker.

The wallet informs users when they are interacting with well-known, verified dApps, but the badge is also being shown in phishing dApps.

The wallet warns users when they are not interacting with a previously known or trusted address if they try to send a manual transaction, but it does not emit any warning if the transaction is done through the dApp.

The wallet displays the dApp origin URL in full, without any truncation within the connection dialog.

Although the wallet hides USDC and some legitimate tokens, it successfully filters out scam or spam tokens and NFTs.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.