Chrome Extension “Bull Checker” Steals Tokens from Solana DeFi Users

Decentralized trading platform Jupiter Exchange has recently published a detailed report on how Chrome Extension Bull Checker has been stealing tokens from Solana DeFi users over the past few weeks. Over the last week, several users reported losing the tokens leading to a detailed investigation.

Stop Using Chrome Extension Bull Checker

As reported by Jupiter Exchange, the Bull Checker Chrome Extension targeted several users on the Solana DeFi-related subreddits. Besides, it also allowed users to interact with decentralized applications (dApps) as usual, with transactions looking absolutely normal during simulations. However, after completing the transactions, the Chrome extension would maliciously transfer tokens to another wallet without the user’s knowledge.

Thus, Jupiter Exchange confirmed that there’s no vulnerability within the wallets or the dApps themselves, thereby confirming that the issue is solely due to the Bull Checker extension. Although the extension was supposed to be a read-only tool for viewing memecoin holders, it had permission to read and modify data across all websites, a major red flag overlooked by its users. The Jupiter Exchange added:

“After installing Bull Checker, it will wait till a user interacts with a regular dApp on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be “normal” and not appear to be a drainer”.

“If you have this extension (or similar extensions with extensive permissions you cannot trust), please remove it immediately,” noted Jupiter Exchanges.

Identification Of Malicious Extension
Over the last week, we received reports that a small number of users using Solana DeFi got drained.

After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several… pic.twitter.com/pubayfmD9h

— Jupiter 🪐 (@JupiterExchange) August 19, 2024

Targeting Solana DeFi and Memecoin Traders

As per the investigation, Reddit account Solana_OG publicized the Chrome extension that was targeting Solana memecoin traders. This account lured the traders into downloading the extensions with the intent of stealing their assets.

Examples of affected transactions reveal that Bull Checker added malicious instructions to legitimate Jupiter and Raydium instructions, leading to the unauthorized transfer of tokens and authority to a malicious address. DeFi protocol Raydium has verified that at least one affected user was using the Bull Checker extension.

Jupiter Exchange has thus advised users to remove other similar extensions with extensive, untrusted permissions, and thus protect their assets. On the other hand, the CBOE removed the 19b-4 application from its website at the SEC’s request thereby reducing the possibility of a Solana ETF in the market.