dApp - Request Blocked - dApp May be malicious

[Digital-Entrepreneur-llc]

Summary

I've been self-learning. and finally got my dApp Live after a few months.

However, I have done zero advertising because blowflish/phantom is telling user my site could be malicious.
Sure, the messages are not saying that it is explicitly malicious only that it could be, but then grey out the button to continue, and force users to click through three big red messages. No one would ever use that.

I spoke with both Phantom support and Blowfish, they expressed willingness to work with me, but they ask for things that just contradict cryptospace, and punish anyone not either well known or with an extensive history.

I'm a solo self-taught dev. from online materials that are open source, and education. All my dev work I've never uploaded to github, I don't have twitter/YouTube.

The Solana ecosystem is advertised as "developer friendly" and someone put in a ton of effort into building all the open-source documentation and guides. And they keep it updated.

So is the point being to waste developers time, money, and energy that want to advance their skill set and learn Solana, With the DENY EVERYONE but the "good ol boys club". is demoralizing to anyone that wants to become a developer etc.

They do say you can get someone to vouch for you, that is a highly popular/well known developer in the ecosystem. But who is going to do that for someone they don't know? With everything being open source, there has been no reason till now to try to join communities.

Bottom line, I'm at a dead end with blowflish because I don't have a big developer portfolio with historical documentation on github, with well-known socials etc. that I don't even want to currently have. Leaving me with only the vouch choice, but I have no idea where to begin on that.

I tried using the signAndSendTransaction since I saw on stack exchange that someone mentioned this method would not put your dApp on the "may be malicious" list.

I've lost hundreds of dollars perusing this, and countless hours of my time, and my families time over the last 6-9 months.

As a hail marry, is there anything that I'm missing, that phantom or anyone else could help me with? Only alternative I can think of is forcing my site to not allow phantom wallet due to gate keeping on the use of the wallet/wallet adapter.

Example

https://solanatokenfactory.com/

Steps to Reproduce

Step 1: Navigate to https://solanatokenfactory.com/
Step 2: Attach your wallet
Step 3: input your requested parameters to create a SPL Token.
Step 4: Click the Create Token button
Step 5: you will see the signature & Transaction Request in your wallet popup window which will have the 3 notifications for users.

Phantom Version

No response

Is there an existing discussion for this?

• I have searched the existing discussions

[xaviermilgo]

I wish I knew this before developing my dapp as well. This is so messed up. I have wasted hundreds of hours learning the ecosystem only to be flagged as malicious once I went live/

[adamdelphantom]

Hey @xaviermilgo and @Digital-Entrepreneur-llc,

Apologies for your experience! Please know these measures are only to protect users from malicious actors. Please continue to work with [email protected] to have your domain reviewed.

[iconidentify]

Our site is unable to accept payment, we've been up and running for multiple weeks. I am super confused on why we are flagged now. Now my users are frustrated and I feel completely helpless

[iconidentify]

Following up, simply contacting the folks on the other end of the review@ email and my issue was resolved within a day. Thank you, Phantom!

[derek-wang]

Following up, simply contacting the folks on the other end of the review@ email and my issue was resolved within a day. Thank you, Phantom!

What did you do to resolve this, we had the same issue too, and we emailed them, thanks

[Sol-HQ]

What...

[Endogen]

Same here. We are also flagged as potentially being malicious (https://bridge.xian.org) and want to resolve this. I think realistically we might want to move away from using wallet integration and will use ChangeNow, Changelly etc. style UIs where users will get a generated address displayed and need to send the tokens there themself.

[adamdelphantom]

Please continue to work with [email protected] to resolve these issues.

[MyDonutProject]

Hi everyone,
I'm experiencing a similar situation and wanted to share my case as it might help others facing this issue.
Our Situation:
Our project (mydonut.io) was flagged as "potentially malicious" by Phantom/Blowfish before we even launched on mainnet. We only discovered this because during testing, we accidentally tried to sign a devnet transaction while Phantom was connected to mainnet, which triggered the security alert.
Project Details:

Development Time: 4 months of intensive development
Team: Anonymous for security reasons (common in DeFi space)
Transparency: 100% open-source commitment

Frontend repository: https://github.com/MyDonutProject/donut/tree/main
Smart contract will be open-sourced on mainnet launch

Architecture: Non-custodial dApp that only creates referral structures
Documentation: Complete whitepaper at https://whitepaper.mydonut.io/

The Challenge:
Despite our full transparency and open-source approach, Phantom is requesting:

Developer GitHub profiles with extensive history
Social media presence with long history
Established developer vouching for anonymous teams

This creates a catch-22 for new, anonymous developers who prioritize security through anonymity but maintain project transparency through open source.
Our Frustration:
Like @Digital-Entrepreneur-llc mentioned, we've invested significant time, money, and energy (4 months) building on Solana specifically because it's marketed as "developer-friendly." We chose Solana for its community, low costs, and excellent user experience with Phantom Wallet.
The Dilemma:
We're launching in 2 days, and this false positive detection (triggered by a testing mistake, not actual malicious behavior) threatens to derail months of legitimate development work.
Question for the Community:
Has anyone successfully resolved this issue as an anonymous team with a new project? The requirement for "established developer vouching" seems to contradict the open, permissionless nature that blockchain represents.
Our Commitment:
We remain committed to full transparency through code, not identity exposure. Every line of our code will be public, auditable, and the project holds zero user funds.
@adamdelphant - Is there a path forward for legitimate anonymous teams who prioritize transparency through open source rather than identity disclosure?
Thank you for any guidance the community can provide. We're hoping to resolve this before our launch to avoid disappointing our early supporters.
Project Links:

Whitepaper: https://whitepaper.mydonut.io/
GitHub: https://github.com/MyDonutProject/donut/tree/main
Discord: https://discord.com/invite/mydonutproject