Whitelist tryliquid.xyz

[franklynwang]

Summary

• Add tryliquid.xyz to whitelist.yaml.

Context

I am Franklyn, CEO of Liquid, and this is creating many problems for our users. tryliquid.xyz is Liquid's official website and should be whitelisted so it is not incorrectly flagged by Phantom.

Users are currently seeing Phantom's block page for tryliquid.xyz: "Phantom believes this website is malicious and unsafe to use." This prevents users from safely reaching the official Liquid site.

Validation

• node ./ci.js
• git diff --check

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the whitelist configuration file to add tryliquid.xyz as a new whitelisted domain alongside the existing nftplus.io entry. This is a straightforward configuration change affecting one file with two added lines and one removed line.

Changes

Whitelist Domains

Layer / File(s)	Summary
Whitelist domain entries whitelist.yaml	The whitelist configuration is updated to add tryliquid.xyz alongside the existing nftplus.io entry.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'Whitelist tryliquid.xyz' directly and concisely describes the main change in the PR: adding tryliquid.xyz to the whitelist.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@whitelist.yaml`:
- Around line 33-34: The whitelist entry "- url: tryliquid.xyz" in
whitelist.yaml must be removed or commented out until CI validation and
independent verification are completed: revert that line from whitelist.yaml,
then ensure the CI validation actually runs by fixing the runtime error (install
or add "js-yaml" to dependencies so node ./ci.js can execute successfully),
re-run node ./ci.js in CI to perform the check, obtain independent confirmation
from official Liquid/Hyperliquid project channels and a security review, and
only re-add "- url: tryliquid.xyz" to whitelist.yaml after CI passes and
verification is documented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e39076aa-ae07-462f-bab0-acbe3134a50c

📥 Commits

Reviewing files that changed from the base of the PR and between 5030186 and 84706eb.

📒 Files selected for processing (1)

• whitelist.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for duplicate or overlapping whitelist entries for tryliquid.xyz

# Check for exact matches
echo "=== Checking for exact matches ==="
rg -n "tryliquid\.xyz" whitelist.yaml

# Check for potential wildcard patterns that might cover this domain
echo -e "\n=== Checking for wildcard patterns that might cover .xyz domains ==="
rg -n '\*\.xyz' whitelist.yaml

# Count total entries to ensure list is growing as expected
echo -e "\n=== Total whitelist entries ==="
rg -c '^\s*- url:' whitelist.yaml

Repository: phantom/blocklist

Length of output: 228

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.js presence ==="
ls -la ./ci.js || true

echo "=== Running: node ./ci.js ==="
if command -v node >/dev/null 2>&1; then
  node ./ci.js || true
else
  echo "node not found"
fi

echo "=== Running: git diff --check ==="
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
  git diff --check || true
else
  echo "Not a git repo (git diff --check skipped)"
fi

echo "=== Searching for tryliquid.xyz occurrences in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid\.xyz" . || true

echo "=== Searching for tryliquid partials in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid" . || true

Repository: phantom/blocklist

Length of output: 1314

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.js presence ==="
ls -la ./ci.js || true

echo "=== Running: node ./ci.js ==="
if command -v node >/dev/null 2>&1; then
  node ./ci.js || true
else
  echo "node not found"
fi

echo "=== Running: git diff --check ==="
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
  git diff --check || true
else
  echo "Not a git repo (git diff --check skipped)"
fi

echo "=== Searching for tryliquid.xyz occurrences in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid\.xyz" . || true

echo "=== Searching for tryliquid partials in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid" . || true

Repository: phantom/blocklist

Length of output: 1314

---

🌐 Web query:

tryliquid.xyz domain legitimacy

💡 Result:

The domain tryliquid.xyz is the designated website for a platform called Liquid, which functions as a decentralized perpetual futures DEX aggregator [1][2]. The legitimacy of this domain is nuanced and requires caution: 1. Official Platform Identity: The platform identifies itself as a non-custodial application that acts as an interface for the Hyperliquid protocol [1][2]. It is promoted on platforms like LinkedIn as a legitimate decentralized finance (DeFi) tool [2] and has an associated mobile application on the Apple App Store [3]. Documentation for the site exists at docs.tryliquid.xyz [4][5]. 2. Conflicting Security Reports: While the site is used by a community of traders [6], automated security scanners and some blocklist engines have flagged the domain as having a low trust score or being blacklisted [7]. Security tools often generate such alerts for newer crypto-related sites, or sites using.xyz top-level domains, due to their historical association with high rates of phishing and fraudulent activity [8]. 3. Risk Assessment: In the context of decentralized finance, even legitimate platforms carry inherent risks. Users are advised to exercise standard security protocols, such as verifying the URL directly against official project social media channels or established community forums, and ensuring they are interacting with the correct, non-phishing interface before connecting wallets or depositing funds [9]. Because DeFi platforms operate in permissionless environments, they are frequent targets for impersonation sites; users should remain vigilant for "clone" sites or similar-sounding domains that may attempt to mimic the official interface [9][8]. Given these factors, while tryliquid.xyz appears to be the intended interface for the Liquid project, the presence of security flags makes independent verification through multiple trusted sources essential before use [7][10].

Citations:

• 1: https://www.tryliquid.xyz/termsofservice
• 2: https://www.linkedin.com/posts/xyz_trading-platform-tryliquidxyz-aims-to-bring-activity-7420149340511354880-m3p3
• 3: https://apps.apple.com/ee/app/liquid-trade-like-the-1/id6744045653
• 4: https://docs.tryliquid.xyz/about-liquid/quickstart-guide
• 5: https://docs.tryliquid.xyz/
• 6: https://www.odaily.news/en/post/5210888
• 7: https://gridinsoft.com/online-virus-scanner/url/tryliquid-xyz
• 8: https://dev.to/surfether/domain-trust-scoring-for-ai-agents-checking-before-you-pay-556g
• 9: https://newsfromwales.co.uk/how-to-verify-if-spinplus-is-official-and-connected-to-legitimate-platforms/
• 10: https://www.urlvoid.com/

---

Gating requirement: don’t whitelist tryliquid.xyz until CI validation runs and the domain is independently verified.

• whitelist.yaml contains exactly one entry for - url: tryliquid.xyz; no overlapping wildcard patterns like *.xyz were found.
• node ./ci.js does not run in this environment (Cannot find module 'js-yaml'), so the stated validation step wasn’t actually completed—re-run in CI (with dependencies installed) or fix the runtime so the check can execute.
• Domain appears tied to a “Liquid”/Hyperliquid-related interface per public sources, but some URL-scanning/blocklist services flag low trust; require independent confirmation via official project channels and a security review before merging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@whitelist.yaml` around lines 33 - 34, The whitelist entry "- url:
tryliquid.xyz" in whitelist.yaml must be removed or commented out until CI
validation and independent verification are completed: revert that line from
whitelist.yaml, then ensure the CI validation actually runs by fixing the
runtime error (install or add "js-yaml" to dependencies so node ./ci.js can
execute successfully), re-run node ./ci.js in CI to perform the check, obtain
independent confirmation from official Liquid/Hyperliquid project channels and a
security review, and only re-add "- url: tryliquid.xyz" to whitelist.yaml after
CI passes and verification is documented.