Solana DEX Jupiter Exposes Malicious Chrome Extension Targeting DeFi Users

Jupiter, a popular decentralized exchange on the Solana network, has uncovered a malicious browser extension targeting Solana’s DeFi users, sending shockwaves through the community and raising urgent concerns about transaction security.

Identification Of Malicious Extension
Over the last week, we received reports that a small number of users using Solana DeFi got drained.

After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several… pic.twitter.com/pubayfmD9h

— Jupiter 🪐 (@JupiterExchange) August 19, 2024

The “Bull Checker” Chrome extension, identified as the culprit, was initially marketed as a tool for accessing decentralized applications (dApps). However, it secretly transferred tokens to an unknown wallet after users completed transactions, without their knowledge. The extension specifically targeted users in Solana-related DeFi subreddits, exploiting their trust.

The Bull Checker Exploit

Meow from Jupiter detailed how users with this extension interacted with dApps as usual, with simulations of transactions appearing normal. However, upon completion, there was a risk that tokens would be diverted to a malicious wallet.

Two specific incidents were highlighted where Bull Checker added malicious instructions to legitimate transactions on Jupiter and Raydium. In both cases, users unknowingly signed these transactions, resulting in their tokens and authority being transferred to an attacker’s address.

The investigation revealed that an anonymous Reddit user, “Solana_OG,” had promoted the extension, luring users interested in trading memecoins. The extension was originally presented as a harmless, read-only tool to display memecoin holders. However, it was found to have excessive permissions that allowed it to read and alter data on all websites, a significant red flag.

Meow’s Warning

Meow warned that while Bull Checker has been identified, other similar extensions might still be active. Reports of additional token drains suggest that the threat could be more widespread than initially thought. Users are urged to uninstall any extensions with excessive or untrusted permissions immediately.

“Don’t trust something just because it has many upvotes on Reddit or other platforms,” Meow cautioned, adding that “Astroturfing and social engineering are real threats.”

Users should be particularly wary of extensions that request extensive permissions. Extensions like Bull Checker should not require access to read and modify all website data. Meow stressed the importance of using only trusted extensions to ensure the safety of one’s assets.