Why does the MCP spec not protect against rug pull attacks?
MCP has no version, hash, or re-approval signal on tool definitions, so a server can silently swap a benign tool for a malicious one after you approved it.
Imagine hiring a contractor based on a written job description you signed off on. A rug pull is the contractor quietly rewriting that description after you approved it, so 'paint the fence' now reads 'also copy the house keys'. You never see the new version because nobody made you re-sign. MCP works the same way. A server tells the host what its tools do, you approve them once, and the server can later return a different description under the same name. The protocol has no signature, no version number, and no checksum on those descriptions. So the host has no built-in way to notice the swap and ask you to approve again.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: define rug pull, show the missing integrity fields in a tools list entry, explain why OAuth and initialize do not help, then walk host-side hash pinning, version pinning, and re-approval as the real defenses.
| Control | What it authenticates | Stops a rug pull? |
|---|---|---|
| OAuth 2.1 token | The server or principal identity | No, identity is fine; the definition changed |
| initialize handshake | Connection setup and capabilities | No, definitions can change after it |
| list-changed notification | That the list changed, not whether it is safe | No, only triggers a refetch |
| Host-side definition hash pinning | Tool definition integrity over time | Yes, detects the swap and re-prompts |
Real products, models, and research that use this idea.
- Anthropic's MCP spec defines a tools list-changed notification for refetch, but leaves integrity checking and re-approval entirely to the host client.
- Invariant Labs demonstrated MCP tool poisoning and rug pull style attacks in 2025, hiding malicious instructions inside tool description metadata.
- The OWASP MCP Top 10, published in 2025, lists rug pull and tool poisoning as distinct supply-chain risks for MCP deployments.
- The proposed ETDI extension adds cryptographic signing and versioning to tool definitions, addressing exactly this gap outside the core spec.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you implement host-side hash pinning for tool definitions without breaking legitimate server updates?
QHow does a rug pull differ from tool poisoning, and where do they overlap?
QWhy are remote MCP servers a sharper rug pull risk than local stdio servers?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming OAuth or the initialize handshake stops rug pulls. They authenticate the server, not the integrity of each tool definition over time.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.