Avoid Malicious Flags

How to Avoid Getting Your App Flagged as Malicious

Wallets, browsers, and security services may flag dApps when they show phishing-like behavior, unsafe transaction patterns, or suspicious infrastructure. This guide lists practical steps to keep your SATUCHAIN application trustworthy and reduce false positives.

1) Be Transparent About What the App Does

• Clearly label actions such as Approve, Swap, Sign, Deploy, Mint, and Transfer.

• Show the exact contract address the user will interact with.

• Display the network name and chain ID the app expects.

• Provide an obvious link to the explorer for contracts and transactions.

2) Never Request Dangerous Signatures

Avoid using signature methods that can be abused or look suspicious:

• Do not request blind signatures with unclear purpose.

• Do not ask users to sign messages that include:

  • hidden URLs

  • encoded transactions

  • unrelated “login” text that resembles wallet drain patterns

Recommended:

• Use SIWE (Sign-In with Ethereum) style logins with a clear domain, nonce, and expiration.

• Keep messages short, human-readable, and domain-bound.

3) Avoid “Unlimited Approvals” by Default

Unlimited token approvals are a common signal used in wallet warnings.

• Default to a safe approval amount (exact amount required).

• Offer “Unlimited approval” only as an optional advanced toggle.

• Show what the approval means and which token/contract is being approved.

4) Use Verified Contracts and Stable Addresses

• Verify and publish contract source code on the explorer.

• Avoid frequent contract address rotation unless necessary.

• Do not deploy proxy upgrades without clearly communicating:

  • implementation address

  • admin controls

  • upgrade rights

Unverified or constantly changing addresses are often treated as higher risk.

5) Use Reputable Infrastructure and HTTPS

Flags often come from suspicious endpoints or mixed content.

• Serve your dApp over HTTPS only.

• Avoid loading scripts from unknown or newly created domains.

• Use stable RPC endpoints and avoid random rotating RPC URLs.

• Do not embed obfuscated JavaScript or suspicious third-party widgets.

6) Keep the UI Honest

Avoid patterns commonly associated with phishing:

• Do not hide critical buttons or force repeated popups.

• Do not simulate “system” dialogs.

• Do not use fake wallet connect modals that mimic MetaMask.

• Do not auto-trigger wallet requests on page load (especially eth_requestAccounts).

Best practice:

• Ask for wallet connection only after a user clicks Connect Wallet.

7) Implement Security Headers and Basic Hardening

For production websites, configure:

• Content-Security-Policy (CSP)

• X-Frame-Options / frame-ancestors (prevent clickjacking)

• Strict-Transport-Security (HSTS)

• Referrer-Policy

These reduce the chance of injection-based compromise, which can lead to blacklisting.

8) Provide Trust Signals

• Include a public documentation page with:

  • contract addresses

  • audit links (if any)

  • changelog

• Publish an official support contact.

• Use consistent branding across your site, docs, and social accounts.

• Avoid “too-good-to-be-true” claims that trigger scam heuristics.

9) Monitor for Compromise

A legitimate dApp can be flagged if its domain is compromised.

• Use CI/CD with integrity checks.

• Lock dependencies and monitor supply-chain alerts.

• Monitor DNS changes and enforce 2FA on registrar accounts.

• Use a WAF or basic DDoS protection for production.

10) Handle Reports Quickly

If your app is flagged:

• Identify what service flagged it (wallet, browser, Safe Browsing, etc.)

• Fix the underlying issue (or prove false positive)

• Provide verification evidence:

  • source code verification

  • explorer links

  • reproducible behavior explanation

• Request review through the relevant platform’s appeal process