Zerion

The wallet has an embedded browser, it requires user confirmation before processing each request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet has an embedded browser, it requires user confirmation before processing each DApp request to the following RPC endpoints: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet implements Wallet Connect and it requires users to unlock it to process requests from DApps to the following RPC endpoints when in a locked state: wallet_addEthereumChain, wallet_watchAsset, eth_decrypt, eth_getEncryptionPublicKey, eth_signTypedData*, personal_sign, eth_sendTransaction.

The wallet allows signing of an EIP-712 object even when its chain ID does not match the currently active chain.

The wallet allows the use of the eth_sign method but internally converts it to personal_sign with the message encoded as bytes.

The wallet does not warn users of a domain or scheme mismatch when signing an EIP-4361 (Sign in With Ethereum - SIWE) message.

The wallet lists connected dApps and allows effective access revocation.

The wallet does not provide an option to revoke token approvals, either through in-app functionality or via links to external dApps.

The wallet does not prompt the user for confirmation when switching networks, and it does not provide a way to modify networks within the connection dialog.

The wallet leverages transaction simulation, effectively displaying all incoming and outgoing assets involved in the transaction.

The wallet displays the spender address, token, effect, and amount being approved in an ERC-20 approval transaction.

The wallet does not display the verifying contract in EIP-712 objects and truncates messages in personal sign requests.

The wallet attempts to parse the EIP-712 object, although its interpretation does not appear to be very accurate or clear.

The wallet does not warn users when entering addresses with invalid checksums. Testing both manually and through a dApp showed no warnings in any case.

The sign button remains enabled at all times, and the message is truncated.

The wallet includes clickable links in both the transaction preview and the wallet history.

The wallet enforces authentication to display the mnemonics or private keys.

The wallet does not include a button to manually lock the wallet.

The wallet does not lock itself after 1 minute of inactivity, when moved to background execution, or when the device gets locked. It also does not offer a settings menu to adjust the auto-lock time.

The wallet does not allow easy-to-guess passwords and supports biometric authentication.

The wallet does not allow taking screenshots or copying mnemonics to the clipboard.

The wallet warns users about the risks of sharing or revealing their mnemonics or private keys before displaying them.

The wallet displays a clear warning message and blocks interactions with known phishing dApps.

The wallet successfully alerts users when interacting with known phishing or scam addresses, such as the Tornado Cash attacker.

The wallet does not prompt a connection dialog in several popular dApps (such as Uniswap, SushiSwap, or OpenSea). While it did display a connection dialog for 1inch, it did not inform the user that they were connecting to a well-known, verified dApp.

The wallet does not warn the user when they are not interacting with a previously known or trusted address.

When the connection dialog appears, it displays the dApp’s full origin URL without any truncation.

The wallet successfully filters out scam and spam NFTs and tokens.

The wallet clearly informs users, within the connection dialog, that by connecting they are allowing the dApp to view their wallet balance and activity, as well as to request transaction approvals.