A critical warning has been issued to users of Solana-based decentralized finance (DeFi) platforms regarding a malicious Chrome extension known as “Bull Checker.” The warning was issued by Jupiter, a leading decentralized exchange aggregator on the Solana blockchain, following investigative collaboration with cybersecurity experts and support from the community.

A warning to all Solana users

Jupiter’s research team, in collaboration with Offside Labs and key community moderators, discovered that “Bull Checker” was responsible for unauthorized token transfers from users’ wallets. Reports of unusual token drains have been surfacing over the past week, prompting a detailed analysis. “After multiple reports from our users, our investigation identified the ‘Bull Checker’ Chrome extension as a conduit for these thefts,” Jupiter Research writes. The extension, which was ostensibly designed to allow users to view memecoin holders, in fact possessed capabilities to modify transaction data.

The extension works by waiting for a user to interact with a legitimate dApp on the official domain. It then modifies the transaction sent to the wallet for signing. While the simulation results appear normal, the transactions are manipulated to include instructions that transfer tokens to an attacker’s wallet. “What’s particularly insidious about this extension is that it injects malicious code that goes undetected during typical transaction simulations,” added Meow, the pseudonymous founder of Jupiter.

Through technical research, it was revealed that the attack vectors used by “Bull Checker” are sophisticated. “We noticed that the extension was able to replace the wallet adapter’s signTransaction method with its own implementation, which would then send the unsigned transaction to a remote server. This server would tie a call to a drain program before sending it back for user approval,” Meow explained.

This discovery was substantiated by examining specific transaction examples where malicious instructions were added to routine transactions. In one of the detailed transaction reviews, the exploited user executed what appeared to be a standard transaction, which ultimately transferred 0.06 SOL and their token authority to an exploiter’s address, identified as 8QYkBcer7kzCtXJGNazCR6jrRJS829aBow12jUob3jhR.

The malicious extension’s modus operandi involved multiple stages. First, the extension checked the victim’s account’s SOL balance during the transaction simulation, which typically showed a zero balance, leading to the abort of the malicious instructions. However, immediately after the simulation, the attacker executed a series of bundled transactions, including sending SOL to increase the balance, executing the malicious transaction, and then retrieving SOL, all without the user’s knowledge.

“Bull Checker” was initially promoted via an anonymous Reddit account known as “Solana_OG,” which appeared to target users interested in trading memecoins. This should have been a red flag, given the lack of transparency and the nature of the advertised functionality. Unfortunately, the extension still found its way onto the computers of several unsuspecting users.

The ongoing investigation has revealed that while “Bull Checker” has been identified and published, there may be other malicious extensions with similar capabilities. Users are urged to be extremely cautious with any extension that requests broad permissions to read and modify any data on websites. “Users should verify the legitimacy and necessity of each extension, especially those that deeply deal with financial transactions or wallet data,” Meow warned.

In response to these types of threats, Blowfish recently released a feature called SafeGuard, which is aimed at preventing simulation spoofing attacks. This feature is now being used by multiple Solana wallets. This new security measure improves the integrity of transaction verifications and provides an additional layer of protection against similar exploits.

At the time of writing, Solana was trading at $146.67.

Main image created with DALL.E, chart from TradingView.com