A critical warning has been issued to users of Solana-based decentralized finance (DeFi) platforms about a malicious Chrome extension known as “Bull Checker.” This alert was issued by Jupiter, a leading decentralized exchange aggregator on the Solana blockchain, following investigative collaboration with cybersecurity experts and community support.
A warning to all Solana users
The Jupiter Research team, in collaboration with Offside Labs and key community moderators, discovered that “Bull Checker” was responsible for unauthorized token transfers from users’ wallets. Over the past week, reports of unusual token leaks began to emerge, prompting a detailed analysis. “Following multiple reports from our users, our investigation identified the ‘Bull Checker’ Chrome extension as a conduit for these thefts,” Jupiter Research writes. The extension, which was purportedly designed to allow users to view memecoin holders, actually possessed capabilities to alter transaction data.
The extension works by waiting for a user to interact with a legitimate dApp on the official domain. It then modifies the transaction sent to the wallet for signing. Although the simulation results appear normal, the transactions are manipulated to include instructions that transfer tokens to an attacker’s wallet. “What’s particularly insidious about this extension is that it injects malicious code that remains undetected during typical transaction simulations,” added Meow, the pseudonymous founder of Jupiter.
Through technical examination, it was revealed that the attack vectors used by “Bull Checker” are sophisticated. “We noticed that the extension could replace the wallet adapter’s signTransaction method with its own implementation, which would then send the unsigned transaction to a remote server. This server attaches a call to a drain program before returning it for user approval,” Meow explained.
This discovery was confirmed by reviewing specific examples of transactions where malicious instructions were added to routine transactions. In one of the detailed transaction reviews, the attacked user executed what appeared to be a standard transaction that ended up transferring 0.06 SOL and its token authority to an exploiter address identified as 8QYkBcer7kzCtXJGNazCR6jrRJS829aBow12jUob3jhR.
The modus operandi of the malicious extension involved several stages. First, the extension monitored the SOL balance of the victim’s account during the transaction simulation, which typically showed a zero balance, leading to the interruption of the malicious instructions. However, immediately after the simulation, the attacker executed a sequence of bundled transactions that included sending SOL to increase the balance, executing the malicious transaction, and then withdrawing SOL, all without the user’s knowledge.
“Bull Checker” was initially promoted through an anonymous Reddit account, known as “Solana_OG,” which appeared to target users interested in trading memecoins. This should have been a red flag given the lack of transparency and the nature of the advertised functionality. Unfortunately, the extension managed to make its way onto the computers of several unsuspecting users.
Ongoing research has revealed that while “Bull Checker” has been identified and published, other malicious extensions with similar capabilities could still exist. Users are urged to be very wary of any extension that requests broad permissions to read and change all data on websites. “Users should verify the legitimacy and necessity of any extension, especially those that interact deeply with financial transactions or wallet data,” Meow warned.
In response to these types of threats, Blowfish has recently launched a feature known as SafeGuard, aimed at preventing phishing attacks, which is now being adopted by multiple Solana wallets. This new security measure improves the integrity of transaction verifications, providing an additional layer of protection against similar attacks.
At press time, Solana was trading at $146.67.
Featured image created with DALL.E, chart from TradingView.com
