How is the wallet security score calculated?

We calculate the wallet Security Score by assessing each item on our checklist, applying a weight based on its importance, and summing the weighted scores. To guarantee objectivity, multiple web3 security experts contribute input to determine the weights using the AHP framework.

How is the wallet evaluation conducted?

Wallets are evaluated using a standardized security checklist and a custom dApp that simulates real Web3 interactions. In-house testers independently assess each wallet and cross-compare results for accuracy.

Why are these four categories of wallet security checks important?

The four categories of checks of the wallet security ranking, dApp Permissions, Intent Verification, Threat Prevention, and Physical Access, represent a practical approach to evaluating a wallet's protection against current real-world threats impacting crypto users.

Which is the most secure crypto wallet?

Use Coinspect’s objective and regularly updated Wallet Security Ranking to select the crypto wallet that best aligns with your requirements and risk profile.

Wallet Security Ranking Methodology

We created a standard security checklist to provide transparent, objective insights into the most secure crypto wallets.

We test, you decide.

dApp Permissions

We examine if the wallet always asks you before dApps access your balance or suggest transaction, and provides permissions control features such as token approvals management.

We test if the wallet

Requires users to unlock it before processing dApp requests when in a locked state.
Requires user connection approval before granting dApp access to specific RPC methods.
Requires user confirmation before processing requests for specific RPC methods from dApps loaded by the embedded browser.
Requires user confirmation before accepting requests to switch the active chain.
Allows users to list and revoke connected dApps.
Restricts the use of deprecated or insecure RPC methods by default.
Alerts users or rejects requests to sign typed structured data (EIP-712) with a chain ID different from the active chain.
Allows users to view and revoke token approvals.
Alerts users of discrepancies or unusual patterns in Sign-in with Ethereum (EIP-4361) requests.

Intent Verification

We assess each wallet’s ability to provide clear, human-readable transaction summaries so you know what will happen with your assets before approving.

We test if the wallet

Consistently provides clickable links to reputable explorers for all key blockchain identifiers.
Allows users to preview the exact outcome of the requested signature by simulating the transaction in advance.
Clearly displays all the key details for ERC-20 Approve requests.
Clearly displays human-readable details for typed structured data (EIP-712) signature requests from well-known dApps.
Clearly displays all signature request details without truncating or hiding information.
Requires users to scroll through all signature request details before being allowed to proceed with signing.
Warns users when they input addresses with invalid EIP-55 checksums.

Physical Access

We evaluate the wallet’s implementation of device-level security features. This includes biometric authentication (fingerprint, face ID), strong password requirements, and attempts limitations.

We test if the wallet

Automatically locks after a period of inactivity.
Allows users to lock it manually.
Minimizes exposure of secrets by limiting or warning users when copying seed phrases to the clipboard or taking screenshots.
Employs the strongest available authentication mechanisms, including biometrics, login attempt rate-limiting, and enforcement of strong passwords.
Requires authentication to access seed phrases or private keys.
Warns users of the risk before allowing access to seed phrases or private keys.

Threat Prevention

We check that the wallet is integrated with up-to-date lists of known threats and conducts real-time checks of blockchain addresses and web domains before any transactions or connections.

We test if the wallet

Clearly displays the dApp URL in the connection prompt.
Prevents or alerts users about interactions with known malicious blockchain addresses.
Informs users when interacting with a well-known dApp URL.
Alerts users when attempting to interact with a known malicious URL.
Informs users during the connection prompt that connecting grants dApps access to view balances, transaction history, and to request signatures.
Hides malicious tokens and NFTs by default.
Warns users when interacting with unknown addresses.

Explore the ranking!

FAQ

How is the wallet security score calculated?

We calculate the wallet Security Score by assessing each item on our checklist, applying a weight based on its importance, and summing the weighted scores. To guarantee objectivity, multiple web3 security experts contribute input to determine the weights using the AHP framework.
How is the wallet evaluation conducted?

Wallets are evaluated using a standardized security checklist and a custom dApp that simulates real Web3 interactions. In-house testers independently assess each wallet and cross-compare results for accuracy.
Why are these four categories of wallet security checks important?

The four categories of checks of the wallet security ranking, dApp Permissions, Intent Verification, Threat Prevention, and Physical Access, represent a practical approach to evaluating a wallet’s protection against current real-world threats impacting crypto users.
Which is the most secure crypto wallet?

Use Coinspect’s objective and regularly updated Wallet Security Ranking to select the crypto wallet that best aligns with your requirements and risk profile.

Do you want to score 100?

Find out the weaknesses we identified that are holding your wallet back—contact us for the full report.

Get report

This ranking is for informational purposes only. It should not be relied on to provide legal, tax, financial, investment, or other types of advice. Coinspect does not guarantee or warrant the accuracy, completeness, timeliness, suitability, or validity of the information provided and will not be responsible for any claim attributable to reliance on errors, omissions, or other inaccuracies of any part of such information.