Crypto App Testing Checklist (Wallets, Trading, DeFi — 2026)

Crypto apps carry irreversible-transaction risk, high-value user accounts, and active attackers. A bug that would be an inconvenience in another category is a financial loss here. This checklist is pa

Crypto apps carry irreversible-transaction risk, high-value user accounts, and active attackers. A bug that would be an inconvenience in another category is a financial loss here. This checklist is paranoid on purpose.

Onboarding

1. New wallet creation shows seed phrase
2. Seed phrase export flow forces user confirmation (re-enter N words)
3. Seed phrase never sent to server (stays on device)
4. Seed phrase never screenshotted without explicit user action (FLAG_SECURE)
5. Biometric + passcode required after onboarding
6. Existing wallet import (seed, keystore, hardware) works

Wallet security

1. Private keys encrypted at rest
2. Keychain / Keystore used correctly (not plain disk)
3. Biometric unlock required per transaction (or session-based per policy)
4. Tamper detection — rooted / jailbroken device flagged or refused
5. Screen recording disabled on sensitive screens
6. Clipboard cleared after copy
7. Session timeout aggressive (2-5 min)

Transactions

1. Send flow — recipient address validated (checksum)
2. Amount input — decimal precision respected per token
3. Gas / fee clearly shown and editable (advanced)
4. Confirmation screen shows all details
5. User approves with biometric
6. Transaction broadcast — tx hash returned
7. Pending state visible until confirmed
8. Transaction history persists

Receive

1. Address displayed
2. QR code scannable
3. Request amount with memo
4. Address generation per-account or static (per design)

Network / chain

1. Multiple networks supported (Ethereum, Polygon, Arbitrum, etc.)
2. Network switch updates balance and transactions
3. Testnet mode for development
4. Custom RPC addable
5. Block explorer link per transaction

Token / asset management

1. Native token + ERC-20 / SPL / etc. supported
2. Add custom token by address
3. Hide / remove unwanted tokens
4. Balance accurate (real-time or refreshable)
5. Fiat value conversion reasonable

NFTs

1. NFT display with metadata
2. Sort / filter by collection
3. Transfer NFT works
4. Invalid metadata handled gracefully (broken image → placeholder)

Trading / swaps

1. Quote fetch within 2 seconds
2. Slippage configurable
3. Price impact displayed
4. MEV protection option
5. Approval transaction required first (ERC-20)
6. Swap confirmation accurate

DeFi integrations

1. dApp browser / WalletConnect signing
2. Transaction details readable (not raw calldata)
3. Warning on suspicious contracts
4. Revoke approvals flow functional

Security warnings

1. Sending to unknown address warns user
2. High-value transaction extra confirmation
3. Phishing detection (known malicious addresses)
4. Contract risk indicators visible

Fiat on / off ramp

1. KYC flow works (ID upload, verification)
2. Purchase with card works via partner
3. Sell / withdraw to bank works
4. Transfer limits visible

Staking / yield

1. Stake flow clear
2. APY / rewards accurate
3. Unstake / unbond works per chain rules
4. Claim rewards functional

Accessibility

1. Amount fields announce value
2. Seed phrase words keyboard-accessible
3. Large text respected
4. Color not sole indicator of status

Performance / network

1. Balance refresh non-blocking
2. Multi-chain fetch parallel, not serial
3. Offline mode shows cached balance with staleness indicator

Edge cases

1. Network fork — app shows both sides clearly
2. RPC downtime — clear message, retry
3. Failed transaction — gas refund logic clear
4. Reorg mid-confirmation — handled
5. Very large balance display (wei → readable)
6. Many tokens (500+) — UI scales
7. Cross-device session — only one device active per account

How SUSA tests crypto apps

adversarial persona tries invalid addresses, malformed inputs, extreme amounts. Security scanner checks for keys in logs, unencrypted storage, missing FLAG_SECURE. Hammer integration scans APK for embedded secrets.

susatest-agent test cryptoapp.apk --persona adversarial --security-depth full

Common bugs

• Seed phrase leaked to crash reporter (bad logging)
• Send to invalid address — transaction broadcast anyway, funds lost
• Gas estimate wrong — transaction fails, user's ETH stuck
• Balance cached too long after transaction
• Clipboard not cleared on copy address

Crypto QA must be paranoid. Every release tested like a pen test.