Skip to content

Whitelist tryliquid.xyz #1821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
franklynwang wants to merge 1 commit into
base: master
Choose a base branch
from
+2 −1
Open

Whitelist tryliquid.xyz #1821

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion whitelist.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@
- url: "*.tistory.com"
- url: "*.surge.sh"
- url: revoke.cash
- url: nftplus.io
- url: nftplus.io
- url: tryliquid.xyz
Comment on lines +33 to +34
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for duplicate or overlapping whitelist entries for tryliquid.xyz

# Check for exact matches
echo "=== Checking for exact matches ==="
rg -n "tryliquid\.xyz" whitelist.yaml

# Check for potential wildcard patterns that might cover this domain
echo -e "\n=== Checking for wildcard patterns that might cover .xyz domains ==="
rg -n '\*\.xyz' whitelist.yaml

# Count total entries to ensure list is growing as expected
echo -e "\n=== Total whitelist entries ==="
rg -c '^\s*- url:' whitelist.yaml

Repository: phantom/blocklist

Length of output: 228

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.js presence ==="
ls -la ./ci.js || true

echo "=== Running: node ./ci.js ==="
if command -v node >/dev/null 2>&1; then
  node ./ci.js || true
else
  echo "node not found"
fi

echo "=== Running: git diff --check ==="
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
  git diff --check || true
else
  echo "Not a git repo (git diff --check skipped)"
fi

echo "=== Searching for tryliquid.xyz occurrences in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid\.xyz" . || true

echo "=== Searching for tryliquid partials in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid" . || true

Repository: phantom/blocklist

Length of output: 1314

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.js presence ==="
ls -la ./ci.js || true

echo "=== Running: node ./ci.js ==="
if command -v node >/dev/null 2>&1; then
  node ./ci.js || true
else
  echo "node not found"
fi

echo "=== Running: git diff --check ==="
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
  git diff --check || true
else
  echo "Not a git repo (git diff --check skipped)"
fi

echo "=== Searching for tryliquid.xyz occurrences in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid\.xyz" . || true

echo "=== Searching for tryliquid partials in repo ==="
rg -n --hidden --no-ignore-vcs "tryliquid" . || true

Repository: phantom/blocklist

Length of output: 1314

🌐 Web query:

tryliquid.xyz domain legitimacy

💡 Result:

The domain tryliquid.xyz is the designated website for a platform called Liquid, which functions as a decentralized perpetual futures DEX aggregator [1][2]. The legitimacy of this domain is nuanced and requires caution: 1. Official Platform Identity: The platform identifies itself as a non-custodial application that acts as an interface for the Hyperliquid protocol [1][2]. It is promoted on platforms like LinkedIn as a legitimate decentralized finance (DeFi) tool [2] and has an associated mobile application on the Apple App Store [3]. Documentation for the site exists at docs.tryliquid.xyz [4][5]. 2. Conflicting Security Reports: While the site is used by a community of traders [6], automated security scanners and some blocklist engines have flagged the domain as having a low trust score or being blacklisted [7]. Security tools often generate such alerts for newer crypto-related sites, or sites using.xyz top-level domains, due to their historical association with high rates of phishing and fraudulent activity [8]. 3. Risk Assessment: In the context of decentralized finance, even legitimate platforms carry inherent risks. Users are advised to exercise standard security protocols, such as verifying the URL directly against official project social media channels or established community forums, and ensuring they are interacting with the correct, non-phishing interface before connecting wallets or depositing funds [9]. Because DeFi platforms operate in permissionless environments, they are frequent targets for impersonation sites; users should remain vigilant for "clone" sites or similar-sounding domains that may attempt to mimic the official interface [9][8]. Given these factors, while tryliquid.xyz appears to be the intended interface for the Liquid project, the presence of security flags makes independent verification through multiple trusted sources essential before use [7][10].

Citations:

Gating requirement: don’t whitelist tryliquid.xyz until CI validation runs and the domain is independently verified.

  • whitelist.yaml contains exactly one entry for - url: tryliquid.xyz; no overlapping wildcard patterns like *.xyz were found.
  • node ./ci.js does not run in this environment (Cannot find module 'js-yaml'), so the stated validation step wasn’t actually completed—re-run in CI (with dependencies installed) or fix the runtime so the check can execute.
  • Domain appears tied to a “Liquid”/Hyperliquid-related interface per public sources, but some URL-scanning/blocklist services flag low trust; require independent confirmation via official project channels and a security review before merging.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@whitelist.yaml` around lines 33 - 34, The whitelist entry "- url:
tryliquid.xyz" in whitelist.yaml must be removed or commented out until CI
validation and independent verification are completed: revert that line from
whitelist.yaml, then ensure the CI validation actually runs by fixing the
runtime error (install or add "js-yaml" to dependencies so node ./ci.js can
execute successfully), re-run node ./ci.js in CI to perform the check, obtain
independent confirmation from official Liquid/Hyperliquid project channels and a
security review, and only re-add "- url: tryliquid.xyz" to whitelist.yaml after
CI passes and verification is documented.

Loading