Highlights:
- Jupiter warns of the “Bull Checker” extension stealing tokens from Solana users’ wallets.
- The extension was promoted on Reddit and masked as a tool for viewing memecoin holders.
- Jupiter advised users to avoid tools based on social media hype and remove suspicious extensions.
On August 19, a Solana-based decentralized exchange aggregator, Jupiter, issued a warning about a nefarious Google Chrome browser extension called “Bull Checker.” The extension targeted Solana users on Reddit, promoting itself as a tool to view all holders of specific memecoins.
Advertisement
Identification Of Malicious Extension
Over the last week, we received reports that a small number of users using Solana DeFi got drained.After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several… pic.twitter.com/pubayfmD9h
— Jupiter 🪐 (@JupiterExchange) August 19, 2024
Reddit-Promoted Chrome Extension Targets Solana DeFi Users
In an Aug. 20 research post, pseudonymous Jupiter founder Meow said Bull Checker passed Solana’s simulation checks and presented itself as a legitimate tool. It lets users interact with dApps normally, making transactions appear normal in simulations. However, after completing transactions, Bull Checker modifies the wallet adapter’s signTransaction method to secretly transfer tokens to another wallet without the user’s awareness.
He stated:
“After installing Bull Checker, it will wait till a user interacts with a regular DApp [decentralized application] on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be ‘normal’ and not appear to be a drainer.”
Meow noted that the Bull Checker extension requested permissions to “read and write” data, whereas a legitimate wallet-checking extension should only require “read-only” permissions. However, several users continued to install and use Bull Checker, ignoring the significant red flag.
Meow said:
“Users with this extension would interact with dApps as normal, with the simulation showing up as usual, but have the possibility of their tokens being maliciously transferred to another wallet upon transaction completion.”
The extension was reportedly promoted by an anonymous Reddit user named “Solana_OG.” In a Reddit post, Solana_OG claimed to have earned $3,000 in a week using the extension. As of now, the extension appears to have been removed from the Chrome Web Store, with a notice stating, “This item is not available.”
Jupiter’s Advice for Crypto Users
Jupiter advised crypto users to promptly remove Bull Checker or any similar extension with extensive permissions. During their investigation, they confirmed that no vulnerabilities were found in major Solana dApps or wallets. Jupiter also warned users not to trust tools based only on social media hype, which can be used to deceive. This follows recent security issues in the Solana ecosystem.
Blue Checker has been revealed as a scam, but other malicious extensions may still exist. Users should stay alert and remove any suspicious extensions, particularly those requesting excessive permissions. Earlier this year, a malicious Aggr extension with positive Chrome Store reviews stole millions in crypto.
🚨 Beware of fake Chrome extensions! 🚨
A malicious Aggr extension with positive reviews on the Chrome Store has been stealing cookies and your funds.
Hackers could have planned this attack over 3 years ago and they target users by promoting the extension through influencers.…
— SlowMist (@SlowMist_Team) May 31, 2024
Moreover, in June, Matthias Mende, co-founder of Dubai Blockchain Center, lost over $100,000 in Solana from his Phantom Wallet after joining a meme coin pre-sale. Mende stated that he still doesn’t know how the hack happened. The Bull Checker extension was found less than two weeks after Cypher Protocol, a Solana-based futures exchange, halted its smart contract due to a $1 million exploit.
Advertisement
