TLDR
- The crafty add-on 'Bull Checker' has set its sights on Solana users, stealthily siphoning off funds from their wallets.
- This extension manages to evade Solana's protective measures and presents no alarm during transaction testing.
- With 'Bull Checker,' there's a demand for 'read and write' access—a glaring warning for any tool claiming to oversee wallets.
- Reddit was used for promoting this extension, with a focus on Solana memecoin enthusiasts.
- Jupiter Exchange, known for decentralized trading, is urging users to delete the risky extension right away.
The sneaky Chrome extension named 'Bull Checker' is a known risk to Solana participants, warned by Jupiter—a decentralized exchange aggregator within Solana's blockchain network.
Posing as a viewer for memecoin ownership, 'Bull Checker' has been secretly draining users' wallets and stealthily circumventing routine security protocols.
Jupiter’s pseudonymous founder, Meow, revealed in an August 20 research post that 'Bull Checker' was specifically targeting Solana users on Reddit, especially those keen on in memecoins.
The extension's knack for flying under the radar is notably worrying, given that it can breeze through Solana's testing and disguise itself as non-threatening while essentially leeching wallets dry.
Detection of the Harmful Add-On
Recently, reports have surfaced of a select group of Solana DeFi participants experiencing wallet drainage.In a deep dive, a problematic Chrome plugin called 'Bull Checker' was pinpointed as targeting users across various... pic.twitter.com/pubayfmD9h
— Jupiter 🪐 (@JupiterExchange) August 19, 2024
'Once Bull Checker is added, it will be idle until a routine DApp transaction occurs, altering the wallet-bound transaction post-modification to appear normal,' Meow shed light on the situation.
A significant concern flagged by Jupiter was the extension's demand for 'read and write' privileges. Inevitably, wallet oversight tools should solely request 'read-only' access, yet despite this, the add-on managed installation and usage leading to unauthorized asset transfers.
The add-on lays in wait for engagement with legitimate decentralized applications (DApps) on their recognized domains, only then adjusting the transaction destined for wallet signing, which results in seemingly routine simulation outcomes, masking the illicit transfer to another wallet.
A Reddit account, 'Solana_OG,' was spotlighted as one of the culprits endorsing the malicious tool, boasting a profit claim of $3,000 within a short span, presumably to entice additional unwitting participants.
Jupiter Exchange has affirmed no vulnerabilities were detected in any prominent Solana network DApps or wallets throughout their scrutiny.
It's the Bull Checker extension alone at the heart of the problem. 'If such an extension resides within your setup, especially one with extensive and unverified permissions, it's crucial to remove it promptly,' Jupiter advised in an announcement on August 19th on X (previously known as Twitter).
Following other security challenges in Solana, such as in July when Cypher Protocol—a Solana-driven decentralized futures exchange—halted its contracts amid a suspected $1 million breach, Bull Checker's emergence is timely. Dubai Blockchain Center's co-creator Matthias Mende also related a loss exceeding $100,000 in Solana from his Phantom Wallet after a memecoin pre-sale.
Jupiter Exchange stresses to everyone the necessity of caution in regards to tips and renowned tools, as fraudsters might lean on social engineering or deceptive messaging to win over unsuspecting targets.
The project accentuates the crucial step of validating authenticity for any given tool or add-on pre-installation, specifically if it's asking for broader permissions.
