Add gembots.space to whitelist — legitimate AI vs AI crypto betting arena#1760
Open
avnikulin35 wants to merge 1 commit intophantom:masterfrom
Open
Add gembots.space to whitelist — legitimate AI vs AI crypto betting arena#1760avnikulin35 wants to merge 1 commit intophantom:masterfrom
avnikulin35 wants to merge 1 commit intophantom:masterfrom
Conversation
…rena gembots.space is a legitimate AI vs AI crypto prediction arena where AI bots compete in real-time trading battles. Users can watch and bet on outcomes. - Live site: https://gembots.space - Open source tournament system - SOL transactions are user-initiated bets on AI bot battles - No phishing, no wallet draining, no malicious activity - Treasury wallet: qcBTcq9kWMEUtETmgehEcCwgkbLrafZ61nsuwGHy77b The domain was likely auto-flagged due to being new + requesting SOL transfers. This is a false positive.
📝 WalkthroughWalkthroughA whitelist configuration file is updated to include a new whitelisted domain entry for gembots.space while preserving an existing nftplus.io entry, resulting in one additional domain in the whitelist. Changes
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@whitelist.yaml`:
- Line 34: The added whitelist entry "url: gembots.space" in whitelist.yaml
appears self-submitted and unverified; before merging either remove or flag it
as untrusted and perform verification: confirm the Solana on-chain program(s)
referenced by the site are open-source and contract-verified (look for
source/repo and on-chain program IDs), inspect the treasury wallet
qcBTcq9kWMEUtETmgehEcCwgkbLrafZ61nsuwGHy77b for legitimate transaction patterns
and no obvious rug/exit behavior, and check domain reputation (WHOIS age, DNS
history, and any abuse reports); update whitelist.yaml to only include the
domain after adding a verification note or metadata field (e.g.,
verification_status: verified and verification_evidence: <links>) or revert the
addition until these checks are completed.
| - url: revoke.cash | ||
| - url: nftplus.io No newline at end of file | ||
| - url: nftplus.io | ||
| - url: gembots.space No newline at end of file |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# First, check for any mentions of the domain in the repository
echo "=== Searching for gembots in repo ==="
rg -i "gembots" --type yaml --type md --type txt 2>/dev/null || echo "No mentions found"
# Check for contribution guidelines and policies
echo -e "\n=== Looking for contribution guidelines ==="
fd -i "contribut\|readme\|guideline\|policy" --type f 2>/dev/null | head -20
# Check the whitelist.yaml structure to understand other entries
echo -e "\n=== Examining whitelist.yaml ==="
fd "whitelist\\.yaml" --type f 2>/dev/null
# Check git history of whitelist.yaml if available
echo -e "\n=== Recent commits to whitelist.yaml ==="
git log --oneline whitelist.yaml 2>/dev/null | head -10 || echo "Git history not available"
# Look for the author/contributor mentioned
echo -e "\n=== Checking for contributor avnikulin ==="
git log --all --author="avnikulin" --oneline 2>/dev/null || echo "No commits from this author"Repository: phantom/blocklist
Length of output: 398
🏁 Script executed:
#!/bin/bash
# Examine the whitelist.yaml file to see structure and similar entries
echo "=== Whitelist.yaml content ==="
cat -n whitelist.yaml 2>/dev/null | head -50
# Count total entries
echo -e "\n=== Total whitelisted entries ==="
rg "^\s+-\s+url:" whitelist.yaml 2>/dev/null | wc -l
# Look for similar betting/gambling/new project entries
echo -e "\n=== Entries near gembots.space ==="
cat -n whitelist.yaml 2>/dev/null | sed -n '30,40p'Repository: phantom/blocklist
Length of output: 1341
🏁 Script executed:
#!/bin/bash
# Check README for policies on whitelist submissions
echo "=== README excerpt (whitelist/submission policy) ==="
if [ -f "README.md" ]; then
cat README.md | head -100
else
find . -maxdepth 2 -name "README*" -type f 2>/dev/null | xargs cat 2>/dev/null | head -100
fi
# Check if there's a SECURITY or CONTRIBUTING file
echo -e "\n=== Checking for SECURITY/CONTRIBUTING files ==="
find . -maxdepth 2 \( -name "SECURITY*" -o -name "CONTRIBUT*" -o -name "CODE_OF_CONDUCT*" \) -type f 2>/dev/null | xargs cat 2>/dev/nullRepository: phantom/blocklist
Length of output: 5493
🏁 Script executed:
#!/bin/bash
# Verify if whitelist.yaml is actually used anywhere in the codebase
echo "=== Searching for whitelist.yaml usage in code ==="
rg "whitelist" --type js --type ts --type py --type json 2>/dev/null | head -20
# Check if fuzzylist functionality is implemented
echo -e "\n=== Checking for fuzzylist or whitelist code logic ==="
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.py" \) 2>/dev/null | xargs grep -l "whitelist\|fuzzylist" 2>/dev/null || echo "No code files using whitelist/fuzzylist"
# Look at the PR/commit that added gembots to understand context
echo -e "\n=== Recent git history for context ==="
git log --oneline -20 2>/dev/null || echo "Git history unavailable"Repository: phantom/blocklist
Length of output: 844
🏁 Script executed:
#!/bin/bash
# Check the actual usage and implementation
echo "=== Files in repository ==="
find . -type f -name "*.yaml" -o -name "*.yml" 2>/dev/null | grep -v node_modules
echo -e "\n=== Checking package.json or similar for blocklist logic ==="
find . -maxdepth 2 -type f \( -name "package.json" -o -name "*.ts" -o -name "*.js" \) 2>/dev/null | head -10 | xargs cat 2>/dev/null | head -50Repository: phantom/blocklist
Length of output: 2335
Reconsider adding unverified gambling domain to whitelist without independent verification.
gembots.space is a self-submitted request from what appears to be the site operator. While the whitelist.yaml is primarily designed to prevent false positives when the fuzzylist algorithm is eventually enabled (currently disabled per README), this addition should still receive scrutiny:
- Self-submitted, unverified — all evidence is self-reported by the operator. No independent audit, contract verification, or security review is provided.
- New domain — the commit message acknowledges this is a new domain, which is a risk signal for gambling platforms.
- Gambling/betting platform — while not as high-risk as active endorsement, new Solana gambling sites carry elevated rug-pull and exit-scam risk.
Before merging:
- Verify on-chain program is open-source and contract verified
- Check treasury wallet (
qcBTcq9kWMEUtETmgehEcCwgkbLrafZ61nsuwGHy77b) for legitimate activity patterns - Confirm domain reputation (WHOIS age, any prior reports)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@whitelist.yaml` at line 34, The added whitelist entry "url: gembots.space" in
whitelist.yaml appears self-submitted and unverified; before merging either
remove or flag it as untrusted and perform verification: confirm the Solana
on-chain program(s) referenced by the site are open-source and contract-verified
(look for source/repo and on-chain program IDs), inspect the treasury wallet
qcBTcq9kWMEUtETmgehEcCwgkbLrafZ61nsuwGHy77b for legitimate transaction patterns
and no obvious rug/exit behavior, and check domain reputation (WHOIS age, DNS
history, and any abuse reports); update whitelist.yaml to only include the
domain after adding a verification note or metadata field (e.g.,
verification_status: verified and verification_evidence: <links>) or revert the
addition until these checks are completed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is gembots.space?
GemBots Arena is a legitimate AI vs AI crypto prediction platform where AI bots (powered by GPT-5.2, Claude Opus, Mistral, DeepSeek, etc.) compete in real-time trading battles on Solana tokens.
Why it was flagged
The domain was likely auto-flagged by Blowfish because:
Evidence of legitimacy
Impact
Phantom users trying to connect their wallet on gembots.space see Request blocked - This dApp may be malicious which is a false positive.
Thank you for reviewing!
Summary by CodeRabbit
Chores