- “Bull Checker” extension bypasses Solana’s drainer checks, stealing funds by modifying DApp transactions in real-time.
- Legitimate wallet-checking extensions only need “read-only” access, yet users ignored this red flag with “Bull Checker.”
- Despite “Bull Checker” attacks, Jupiter confirms no vulnerabilities in Solana’s DApps or wallets, emphasizing user vigilance.
Jupiter, a decentralized exchange aggregator, has issued a warning to users regarding a malicious browser extension that has successfully bypassed detection mechanisms designed to protect Solana users. This malicious extension, dubbed “Bull Checker,” has reportedly drained the wallets of several users and evaded Solana’s drainer checks, according to recent investigations.
The Malicious Extension Identified
The malicious browser extension was revealed by Jupiter’s pseudonymous founder, Meow, in an August 20 research post. Named “Bull Checker,” the extension was targeting Solana users on Reddit, falsely presenting itself as a tool to monitor memecoin holders.
However, the extension was created to steal funds by modifying transactions. Users who installed the extension allowed permissions for data access, which provided the extension with the ability to drain funds from wallets.
Meow emphasized that this extension could pass the usual Solana simulation checks and appear normal to the user. When users interacted with decentralized applications (DApps) on legitimate domains, the extension modified transactions, with the simulation result still showing as normal, even though the transaction was altered. This made it difficult for users to detect the malicious activity in real-time, leaving them vulnerable to attacks.
Warning Signs Overlooked
Meow advised users to remove the “Bull Checker” extension immediately, particularly those that granted extensive permissions. The extension asked for both “read” and “write” data access, which, according to Meow, should have raised suspicion among users.
Legitimate extensions, especially those related to wallet-checking, generally require only “read-only” access to function correctly. However, several users reportedly ignored these warning signs, continuing to install and use the extension, ultimately leading to unauthorized transactions.
Users unknowingly interacted with the malicious extension, believing their transactions were safe. However, when the transaction was finalized, their tokens were quietly transferred to another wallet. The extension’s deceptive behavior allowed it to operate unnoticed until funds had already been stolen.
No DApp or Wallet Vulnerabilities Found
Jupiter reassured the public that during the investigation, no vulnerabilities were discovered in any of Solana’s major decentralized applications or wallets. The issue was isolated to the malicious “Bull Checker” extension. However, this incident raises concerns over the potential for similar attacks, highlighting the importance of vigilance when using browser extensions.
Notably, this discovery closely follows another incident within the Solana ecosystem. Just weeks ago, decentralized futures exchange Cypher Protocol halted its smart contract system after suffering a $1 million exploit. Despite these recent events, Jupiter’s efforts to alert the community to malicious activities emphasize the ongoing challenges of ensuring security within the ecosystem.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
