A harmful Chrome extension named “Bull Checker” has recently been identified as a significant threat to Solana DeFi users, draining their tokens over the past week.
Jupiter Exchange, a decentralized trading platform, was the first to flag the extension, noting that it has been illicitly siphoning tokens from several Solana users.
Following reports of token theft, Jupiter launched a comprehensive investigation into the extension. According to their findings published on Tuesday, Bull Checker initially appeared legitimate, allowing users to interact with decentralized applications (dApps) as expected.
However, the extension had a malicious function: after installation, it would wait for users to engage with dApps on official domains. The extension then altered the transaction details sent for signing, enabling the unauthorized transfer of tokens to a different wallet. Despite these modifications, the transaction simulation appeared normal, effectively concealing the extension’s true intent.
Jupiter confirmed that there were no vulnerabilities in the dApps’ wallets themselves. Instead, the extension exploited its permission to read and modify all data on the website.
Raydium, an automated market maker (AMM) on the Solana blockchain, reported similar issues among its users, who also had the Bull Checker extension installed. Malicious instructions were added to both Jupiter and Raydium transactions, leading to the unauthorized transfer of tokens and authority to a malicious address.
Despite being labeled as a ‘read-only’ extension—allowing users to view memecoin holders—Bull Checker should not have required such extensive permissions to read or modify data across all websites. This raised significant red flags that many users overlooked.
The extension gained traction through promotion by an anonymous Reddit account, “Solana_OG,” which targeted users interested in trading memecoins, convincing them to download the extension.
Jupiter Exchange has advised users to exercise caution and thoroughly vet any browser extensions before installation to avoid similar security breaches.
