Over the last week, we received reports that a small number of users using Solana DeFi got drained.
After extensive investigation with our partners, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several Solana-related subreddits.
Users with this extension would interact with the dApps as per normal, have the simulation show up as normal, but have the possibility of their tokens being maliciously transferred to another wallet upon transaction completion.
If you have this extension (or similar extensions with extensive permissions you cannot trust), please remove it immediately.
Note that there is no vulnerability found in any of the named dapps or wallets.
For this report, we collaborated with Siji from @OffsideLabs who contributed much of the technical analysis.
@0xSoju, @0xYankee, along with rest of the moderators did excellent backbreaking work to get to the bottom of this, spending many hours with affected users.
Also, much thanks to Blowfish, Raydium and Phantom who also reviewed this post.
Example Transactions
Here are 2 examples of transactions that have interacted with the malicious program: 5UMucMksJweA1AtgyxrK8DJeBXr3DQGEGRs5Kkq2pZjr
link
link
In both cases, malicious instructions were added to regular Jupiter and Raydium instructions, and the resulting transaction was signed by the user as per normal, but had their tokens and authority transferred to the malicious address.
The Suspected Extension: Bull Checker
Upon further investigation of several affected users who have been drained by the same program, we have identified an extension called “Bull Checker”, which has the permissions to read and change all the data on the website, as a potential cause.
Bull Checker is supposed to be a read-only extension that allows you to view the holders of memecoins. There should be no need for an extension like this to read or write data on all websites.
This should have been a major red flag for users, but apparently several users continued to install and use the extension.
After installing Bull Checker, it will wait till a user interacts with a regular dApp on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be “normal” and not appear to be a drainer.
Simulation vs On-chain
This transaction passed a simulation check and was not identified to be malicious. The malicious program watches the specific SOL account, to know whether to abort the malicious instructions.
During simulation, the balance of this account was 0, leading to the malicious instructions to be aborted. After simulation, the attacker bundled 3 transactions together.
- Sending some SOL in to increase the balance
- The malicious TX signed by the user
- Pulling SOL back out of the wallet.
Thus the user did not see any malicious interactions on simulation, yet the final on-chain transaction included the drain and transfer of authority.
At the 8th instruction of the drainer TX, we can see that the user transferred 0.06 SOL and lost control of his tokenAuthority to the exploiter’s address: 8QYkBcer7kzCtXJGNazCR6jrRJS829aBow12jUob3jhR.
Extension Code
You can view Bull Checker’s code here: CRX Viewer
This extension specifically targets installed wallets. Since it can read and change the data on all websites, it actively monitors apps containing the wallet adapter.
It replaces the wallet adaptor’s signTransaction method with its own implementation, forwarding the unsigned transaction to a remote server and attaching a call to a drainer program.
If the mutated transaction is signed by the user, the drainer program can transfer all tokens from the victim.
Targeting Memecoin Traders
In addition to the above information, while researching “Bull Checker” we discovered that it was publicised by an anonymous Reddit account, “Solana_OG”. This person appeared to target users looking to trade memecoins, and lured them to download the extension.
Links:
https://www.reddit.com/r/solana/comments/1eq24yc/comment/lhq1exn/
https://www.reddit.com/r/solana/comments/1emepbg/comment/lgyc8f9/
Key Safety Habits
While we have identified one malicious extension, there might still be other malicious extensions out there. There have been reports of other drains that we have not been able to track down. If you suspect an extension contains malware, particularly if they have both “read” and “change” permissions, uninstall it immediately.
Do not trust something just because someone mentioned it on Reddit or other media and it has many upvotes. Astroturfing and social engineering are very real.
Extensions that request for extensive permissions are highly suspicious. An extension like Bull Checker should not need to read and modify all your website data. You should have an extremely high degree of confidence in an extension before you start using it.
In addition, Blowfish has released a new guard instruction feature called SafeGuard that prevents all simulation spoofing attacks. It’s currently being adopted by multiple Solana wallets and will prevent future such attacks.
Conclusion
Stay safe out there, and don’t install extensions that can read/write data unless you are really sure!
Once again, many thanks to Siji from Offside Labs, Blowfish, Raydium and Phantom for assisting in this investigation.
