Decentralized exchange aggregator Jupiter has discovered a new malicious browser extension that has already emptied the wallets of several Solana users and can even bypass detectors.
In an August 20 research post, anonymous Jupiter founder Meow said a nefarious Google Chrome browser extension called “Bull Checker” was targeting Solana users on Reddit, advertising itself as an extension that would allow users to see all holders of a specific Mimecoin.
source: Jupiter
“If you have this extension (or a similar one with untrusted, broad permissions), please remove it immediately,” Jupiter wrote in an August 19 X post.
Meow said the extension passes Solana simulation tests and “appears normal,” but is actually a drain designed to steal funds from users’ wallets.
“After installing Bull Checker, I wait until the user interacts with a regular DApp (decentralized application) on the official domain, and then I modify the transaction that is sent to the wallet for signing. After the modification, the simulation result is still ‘normal’ and does not look like a drain,” Meow explained.
Meow added that the Bull Checker extension asked the user to accept permission to “read and write” data, and that all legitimate wallet verification extensions should only request “read-only” permissions.
“This should have been a huge red flag to users, but some continued to install and use the extension,” he said.
The “Bull Checker” extension requested permission to read and write data. Source: Jupiter
“Users with this extension will interact with DApps normally and the simulation will appear normal, but once the transaction is completed, there is a possibility that the tokens will be maliciously transferred to another wallet,” he added.
relevant: Solana ETF ‘Still Moving On’ Despite Cboe’s Delisting Filing – VanEck Exec
One user advertising the malicious extension on Reddit said he made $3,000 using it last week, without giving details.
Jupiter reassured users that no vulnerabilities were found in any of the Solana network’s major decentralized applications or wallets during the investigation.
The “Bull Checker” extension was discovered less than two weeks after the Solana-based decentralized futures exchange Cypher Protocol shut down its smart contract system due to a $1 million exploit.
Meanwhile, on July 8, Matthias Mende, co-founder of the Dubai Blockchain Center, told Cointelegraph that he was attacked after participating in a Mimecoin presale event, with hackers stealing $100,000 worth of Solana (SOL) from his Fantom wallet.
Mende said he still doesn’t know how the hack happened.
magazine: 5 Risks to Watch Out for When Infiltrating Solana Mimecoin