When a wallet is imported using Watch Mode (Address-only), the ioPay application still allows the wallet to "Connect" to external dApps and websites.
In Watch Mode, the user does not possess the private key or mnemonic; therefore, the wallet should ideally block connection requests or display a "Read-Only" warning. Allowing a connection creates a confusing user experience where users may attempt to perform transactions that will ultimately fail because there is no private key to sign them.
Open the ioPay app.
Import a wallet using Watch Mode (enter a public IoTeX address without a private key).
Navigate to the in-app browser or an external site (e.g., a staking portal or DEX).
Click "Connect Wallet."
Observe that the app prompts to "Approve" the connection and successfully establishes a link with the site.
The app should either:
Prevent connection entirely for "Watch Mode" wallets.
Provide a clear warning: "You are in Watch Mode. You cannot sign transactions or interact with this site."
The wallet behaves as if it were a full-access wallet during the initial connection phase, misleading the user and potentially exposing the tracked address to unnecessary site permissions.
Wallet Address: io1tkw393kejmxwnd454twc6020sxcyvh5dxqmren
Device & Environment:
-Operating system: Android 13
-Device model: Redmi Note 10 Pro
Please authenticate to join the conversation.
In Review
New Issue
25 days ago

cryptotestnet
Get notified by email when there are changes.
In Review
New Issue
25 days ago

cryptotestnet
Get notified by email when there are changes.