dApp Flagged as Malicious Before Mainnet Launch - Project Still in Devnet

[MyDonutProject]

Summary

Our project (mydonut.io) was incorrectly flagged as "potentially malicious" by Phantom/Blowfish before even launching on mainnet. The dApp is still in development on devnet, and we only discovered this flag by accident during testing when we tried to sign a devnet transaction with Phantom configured for mainnet.
Problem Details

Project Status: Still on devnet, launch delayed due to this issue
How We Discovered: During testing, accidentally tried to sign devnet transaction with Phantom on mainnet
Result: "This dApp could be malicious" warning appeared
Current Situation: Project flagged even without being on mainnet

Project Information

Development: 4 months of intensive work
Architecture: Non-custodial dApp that only creates referral structures
Transparency: 100% open source

Frontend: https://github.com/MyDonutProject/donut/tree/main
Smart contract will be open-source at launch

Documentation: https://whitepaper.mydonut.io/

Support Process
We're already in contact with [email protected] (Ticket #9493), but they're requesting:

Developer GitHub profiles with extensive history
Established social media presence
Known developer to "vouch" for anonymous teams

Our Concern
As an anonymous team (for security) but fully transparent (100% open code), we're stuck in a cycle where:

We don't want to expose identities for security reasons
But we maintain full transparency through code
Yet we're still penalized for not having "social history"

Main Question
How can a legitimate, 100% open-source, non-custodial project get unflagged when:

It hasn't even reached mainnet yet
It was detected by network configuration error during testing
It maintains team anonymity for security but total code transparency

Steps to Reproduce

Configure dApp for devnet
Configure Phantom for mainnet
Try to sign devnet transaction with Phantom on mainnet
Receive "potentially malicious" warning
Discover project was flagged even though only on devnet

Technical Information

dApp Network: Devnet (not mainnet yet)
Phantom Network: Mainnet (during test)
Method Used: signAndSendTransaction (as recommended)
Transactions: Versioned (required for multiple addresses)

Impact

Timeline: Launch had to be postponed due to this situation
Investment: 4 months of development + financial resources at risk
Community: Early supporters being affected by the delay

Request
We need guidance on how to proceed to unflag a project that:

Is 100% legitimate and transparent
Never went to mainnet
Was flagged by configuration error during testing
Maintains team anonymity but total code transparency

Project Links

Whitepaper: https://whitepaper.mydonut.io/
GitHub: https://github.com/MyDonutProject/donut/tree/main
Discord: https://discord.com/invite/mydonutproject
Twitter: https://x.com/mydonutproject

Any guidance from the community or Phantom team would be greatly appreciated.

Example

https://mydonut.io/

Steps to Reproduce

Steps to Reproduce

Configure dApp for devnet
Configure Phantom for mainnet
Try to sign devnet transaction with Phantom on mainnet
Receive "potentially malicious" warning
Discover project was flagged even though only on devnet

Technical Information

dApp Network: Devnet (not mainnet yet)
Phantom Network: Mainnet (during test)
Method Used: signAndSendTransaction (as recommended)
Transactions: Versioned (required for multiple addresses)

Phantom Version

25.18.0

Is there an existing discussion for this?

• I have searched the existing discussions

[adamdelphantom]

@MyDonutProject please continue to work with [email protected] to address this warning.

[MyDonutProject]

Issue with Current Verification Process

Thank you for your response. However, we need to address a fundamental concern with the current verification process that goes beyond our specific case.

Current Email Response Summary:
The Phantom Review Team (via Zach) has clarified that:

• Our website is not blacklisted but not allowlisted
• They require verification including: social accounts with established history, public GitHub with extensive background, live website (not test state)
• These profiles should not be new so they can review historical activity
• Alternative: Have well-known developers vouch for us

The Core Problem:
This process essentially requires new developers to focus on networking and social influence rather than technical competence and code quality. The question we must ask is: Isn't providing open-source code to a security company sufficient for them to analyze and verify if an application is safe for users? What is the role of a security company if not this?

Our Disappointment:
We're deeply concerned that the Web3 and blockchain space is migrating toward traditional bureaucracies, filtering developers based on influence rather than merit. This approach:

• Punishes legitimate developers with transparent, open-source solutions
• Rewards social connections over technical excellence
• Creates barriers identical to traditional business where "who you know" matters more than "what you build"

The Contradiction:
Meanwhile, we see numerous scams in the Web3 space from groups with:

• Closed-source code
• Strong social influence
• Verification approval based solely on network connections

Yet honest developers with transparent, auditable code are being banned from the ecosystem.

Our Technical Merit:

• 4 months of intensive development
• 100% open-source frontend: https://github.com/MyDonutProject/donut/tree/main
• 100% open-source smart contract - will be fully published at the exact moment of mainnet deployment
• Comprehensive Security Documentation - will include complete solana-security.txt implementation with:
  • Commit hashes for full code traceability
  • Contact information for security researchers
  • Bug bounty program with vulnerability reward structure
  • Emergency contact procedures
  • Responsible disclosure guidelines
  • Smart contract verification details
• Non-custodial architecture - holds zero user funds
• Complete transparency - whitepaper: https://whitepaper.mydonut.io/
• Solana-focused development - chose this ecosystem specifically for its "developer-friendly" reputation

Security-First Approach:
Our commitment to security extends beyond open-source code. We're implementing industry-standard security practices including:

• Solana Security.txt Standard - Full compliance with Solana's security documentation framework
• Vulnerability Disclosure Program - Structured bounty system for security researchers
• Code Immutability Verification - All deployed contracts will have verifiable commit references
• Multi-layer Transparency - From frontend UI to smart contract logic, everything auditable
• Real-time Security Monitoring - Post-launch security tracking and reporting

This level of technical security commitment should demonstrate our legitimate intentions far more effectively than social media profiles or network connections.

The Real Issue:
@adamdelphant, continuing via email won't resolve this because the email team exclusively seeks influential developers, not new developers bringing solutions to the Web3 ecosystem. This creates the same barriers as traditional finance where anonymous investors and beginner developers with transparent solutions are excluded.

Industry Impact:
This verification approach undermines the core principles that made blockchain revolutionary:

• Permissionless innovation
• Merit-based evaluation
• Code over connections
• Decentralized access

Our Request:
We need a technical review process that evaluates:

1. Code quality and security
2. Architecture safety
3. Transparency level
4. User fund safety

Rather than:

1. Social media history
2. GitHub star count
3. Network connections
4. Influence metrics

Question for the Community:
How can we maintain blockchain's foundational principles of open access and merit-based evaluation when major infrastructure providers require social proof over technical proof?

Our Commitment:
We remain committed to transparency and are willing to undergo any technical security audit or code review to prove our legitimacy. We believe code should speak louder than connections.

This isn't just about our project - it's about preserving the inclusive, merit-based nature that made Web3 revolutionary in the first place.