TLDR
- A malicious Chrome extension called “Bull Checker” has been targeting Solana users, draining their wallets.
- The extension can bypass Solana’s drainer checks and appears normal during transaction simulations.
- Bull Checker asks for “read and write” permissions, which is a red flag for a wallet-checking extension.
- The extension was advertised on Reddit, targeting Solana memecoin traders.
- Jupiter Exchange, a decentralized trading platform, has warned users to remove the extension immediately.
A malicious Chrome extension named “Bull Checker” has been identified as a threat to Solana users, according to warnings from Jupiter, a decentralized exchange aggregator on the Solana blockchain.
The extension, which advertised itself as a tool for viewing memecoin holders, has been secretly draining users’ wallets and bypassing standard security checks.
Jupiter’s pseudonymous founder, Meow, revealed in an August 20 research post that Bull Checker had been targeting Solana users on Reddit, particularly those interested in memecoins.
The extension’s ability to evade detection is particularly concerning, as it can pass Solana simulation checks and appear normal while actually functioning as a wallet drainer.
Identification Of Malicious Extension
Over the last week, we received reports that a small number of users using Solana DeFi got drained.After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several… pic.twitter.com/pubayfmD9h
— Jupiter 🪐 (@JupiterExchange) August 19, 2024
“After installing Bull Checker, it will wait till a user interacts with a regular DApp on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be ‘normal’ and not appear to be a drainer,” Meow explained.
One of the key red flags identified by Jupiter was the extension’s request for “read and write” permissions. Legitimate wallet-checking extensions typically only require “read-only” permissions. Despite this warning sign, several users installed and used the extension, leading to unauthorized transfers of their tokens.
The extension’s modus operandi involves waiting for users to interact with a legitimate decentralized application (DApp) on its official domain. It then modifies the transaction sent to the wallet for signing. The simulation results appear normal, masking the malicious nature of the transaction. Upon completion, the extension covertly transfers the user’s tokens to another wallet.
Reddit user “Solana_OG” was identified as one of the accounts promoting the malicious extension. This user claimed to have made $3,000 in a week using Bull Checker, likely in an attempt to lure more victims.
Jupiter Exchange has confirmed that no vulnerabilities were found in any major DApps or wallets on the Solana network during their investigation.
The issue is solely with the Bull Checker extension. “If you have this extension (or similar extensions with extensive permissions you cannot trust), please remove it immediately,” Jupiter warned in an August 19 post on X (formerly Twitter).
The discovery of Bull Checker comes in the wake of other security incidents in the Solana ecosystem. In early July, Solana-based decentralized futures exchange Cypher Protocol halted its smart contract system following an estimated $1 million exploit. Matthias Mende, co-founder of the Dubai Blockchain Center, reported losing over $100,000 in Solana from his Phantom Wallet after participating in a memecoin pre-sale event.
Jupiter Exchange has urged users to be wary of all recommendations and popular tools, as scammers may use social engineering or astroturfing techniques to gain the confidence of potential victims.
The project emphasized the importance of verifying the legitimacy of any tool or extension before installation, especially those requesting extensive permissions.