Whitelist csgofast.store - official marketing mirror of csgofast.com (false positive)

[K00pash]

Hi Phantom team,

Submitting this as a PR since phantom/blocklist has Issues disabled and the README points to PRs as the submission channel for both blocklist and whitelist changes.

csgofast.store is an official marketing mirror of csgofast.com, a CS2/CSGO skin platform live since 2015. Users have reported that Phantom flags csgofast.store as malicious.

I could not find csgofast.store in any of the YAML files on master or in commit history, so the warning seen in-wallet may be coming from a downstream provider Phantom integrates with (Blowfish? GoPlus?). Filing here regardless — this repo is the public surface, and a whitelist.yaml entry is the right preventive signal either way. Happy to refile elsewhere if you point me at the right channel.

Why this is a false positive

The brand-on-different-TLD pattern is exactly what makes legitimate marketing mirrors look indistinguishable from typosquatting clones to automated detectors. We understand the heuristic, we just want to clear this one specific case:

• Same product, same operator, same brand as csgofast.com.
• No seed-phrase prompts, no fake mint pages, no token-approval traps.
• Crypto interactions are limited to standard deposit / P2P-withdrawal flows via WalletConnect / EIP-1193.

How to verify (any of these works)

1. Email support@csgofast.com — we will perform any proof-of-control you ask for (DNS TXT, HTTP challenge on either domain, signed message).
2. Visual / functional comparison — both domains serve the same SPA, same login domain pattern, same provably-fair verification page.
3. We can publish csgofast.com/.well-known/mirrors.json listing every marketing mirror if you want a machine-readable signal for future reviews — happy to coordinate on the exact format.

Asks

1. Please merge this whitelist entry, or, if the in-wallet warning comes from an upstream feed Phantom integrates with, point us at the right contact and I will refile there.
2. What is the recommended path for a legitimate operator with multiple marketing mirrors to avoid these false positives in the future? PR each mirror to whitelist.yaml proactively? Publish a /.well-known/ manifest? Use rel=canonical or JSON-LD sameAs from the mirrors to the primary domain?

Thanks for the work — automated phishing detection is necessary, we do not want to make your job harder, just get our domain off the wrong list.

— csgofast.com team

Summary by CodeRabbit

• Chores
  • Expanded the service domain whitelist to include additional third-party providers, enabling broader service integration capabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR extends a URL whitelist configuration by adding two new domains, nftplus.io and csgofast.store, to the whitelist.yaml file.

Changes

Whitelist Configuration Update

Layer / File(s)	Summary
Configuration whitelist.yaml	Two new domains, nftplus.io and csgofast.store, are appended to the URL whitelist.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: whitelisting csgofast.store as an official marketing mirror with the reason (false positive). It directly corresponds to the changeset which adds csgofast.store to whitelist.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

whitelist.yaml (1)

33-34: Add whitelist-vs-blocklist conflict checks to CI before merge.

Verification confirms nftplus.io and csgofast.store are absent from all blocklist files (blocklist.yaml, nft-blocklist.yaml, eth-blocklist.yaml, and fuzzylist.yaml), but the current CI implementation lacks validation to prevent this conflict. The suggested CI guard in ci.js to cross-check whitelist entries against blocklists is needed to prevent accidental domain conflicts in future contributions.

Suggested CI hardening for `ci.js`

 const yaml = require('js-yaml');
 const fs   = require('fs');

 const blocklist = yaml.load(fs.readFileSync('./blocklist.yaml', 'utf8'));
 const nftBlocklist = yaml.load(fs.readFileSync('./nft-blocklist.yaml', 'utf8'));
 const whitelist = yaml.load(fs.readFileSync('./whitelist.yaml', 'utf8'));
 const fuzzylist = yaml.load(fs.readFileSync('./fuzzylist.yaml', 'utf8'));
 const ethBlocklist = yaml.load(fs.readFileSync('./eth-blocklist.yaml', 'utf8'));
+
+const toSet = (arr) => new Set(arr.map((item) => item.url).filter(Boolean));
+const whitelistSet = toSet(whitelist);
+const blocklistSet = toSet(blocklist);
+const ethBlocklistSet = toSet(ethBlocklist);
+const fuzzylistSet = toSet(fuzzylist);
+
+const intersects = (a, b) => [...a].some((x) => b.has(x));

 if(blocklist.some(item => !item.url)) {
   console.log("Not every blocklist item has a `url` attribute");
   process.exit(1);
 }
@@
 if(fuzzylist.length > 0) {
   console.log("Fuzzylist entry detected without the fuzzylist being explicitly enabled");
   process.exit(1);
 }
+
+if (intersects(whitelistSet, blocklistSet) ||
+    intersects(whitelistSet, ethBlocklistSet) ||
+    intersects(whitelistSet, fuzzylistSet)) {
+  console.log("Conflict detected: URL present in both whitelist and block/fuzzy list");
+  process.exit(1);
+}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@whitelist.yaml` around lines 33 - 34, Add a CI guard in ci.js that reads
whitelist.yaml and cross-checks each domain against blocklist.yaml,
nft-blocklist.yaml, eth-blocklist.yaml, and fuzzylist.yaml; implement (or
extend) a function such as checkWhitelistVsBlocklists/validateLists to load and
parse all YAMLs, normalize entries (lowercase, trim, strip schemes/www), detect
any exact or fuzzy overlaps, and if any conflicts are found log the conflicting
domain(s) with source file names and exit the process with a non-zero code to
fail the CI. Ensure the check runs as part of existing CI validation flow so PRs
cannot be merged when whitelist entries appear in any blocklist files.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@whitelist.yaml`:
- Line 33: Remove the unrelated whitelist entry "nftplus.io" from the change so
the PR only contains the intended domain addition (`csgofast.store`); locate the
`url: nftplus.io` entry in whitelist.yaml and delete that line (or revert that
specific hunk) and ensure the final commit includes only the `csgofast.store`
whitelist addition with no other domains.

---

Nitpick comments:
In `@whitelist.yaml`:
- Around line 33-34: Add a CI guard in ci.js that reads whitelist.yaml and
cross-checks each domain against blocklist.yaml, nft-blocklist.yaml,
eth-blocklist.yaml, and fuzzylist.yaml; implement (or extend) a function such as
checkWhitelistVsBlocklists/validateLists to load and parse all YAMLs, normalize
entries (lowercase, trim, strip schemes/www), detect any exact or fuzzy
overlaps, and if any conflicts are found log the conflicting domain(s) with
source file names and exit the process with a non-zero code to fail the CI.
Ensure the check runs as part of existing CI validation flow so PRs cannot be
merged when whitelist entries appear in any blocklist files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36458e07-004b-47ef-8060-4a735535805d

📥 Commits

Reviewing files that changed from the base of the PR and between f0e8ff9 and 6bd2220.

📒 Files selected for processing (1)

• whitelist.yaml