Jupiter Research recently released the findings of an investigation into an incident where users of Defi-Applications on the SOLANA platform lost their funds. The culprit behind the data leakage was identified as the malicious browser extension Bull Checker. This plugin specifically targeted users actively engaged in discussions on various subreddits associated with Solana.
Although Bull Checker was presented as a tool for viewing memcoid holders and was supposed to only have data reading functions, it was found to have access to all information on visited sites and could even make changes. Users interacting with decentralized applications (Dapps) might not have noticed anything suspicious initially, but after completing transactions, their tokens could be transferred to another wallet without their consent.
The extension, Bull Checker, requested permissions to read and change data on sites, giving it the ability to manipulate transactions without the users’ awareness. It’s worth noting that the vulnerabilities were not in the DAPPs or wallets themselves, but rather in the malicious extension that added unauthorized commands to transactions, resulting in the loss of token control.
Specific transactions were identified on the Jupiter and Raydium platforms where harmful instructions were inserted into regular operations. The extension targeted user interactions with DAPPs on the official domain, modifying transactions sent for signature to transfer tokens to a different address without the users’ knowledge.
The Bull Checker extension primarily targeted memcoirs traders and advanced users through the anonymous account “SOLANAA_OG,” encouraging them to install the malicious software.
As a precautionary measure, users are strongly advised to immediately remove the Bull Checker extension and any other extensions with overly broad permissions. Caution should be exercised when granting access to extensions that request reading and changing data on all sites. Relying solely on positive reviews on platforms like Reddit for trust in programs or extensions is discouraged.