Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Describe the rug pull attack in MCP: what happens, why it is possible, and why the current protocol specification cannot prevent it.
A rug pull is a time of check vs time of use attack: the server mutates an approved tool's description or schema after you consented, and MCP defines no hash, version, or re-consent to catch it.
Imagine you sign a contract after reading it carefully, then hand it back. The other party swaps in a different page when you are not looking, and the deal now says something you never agreed to. With MCP, you approve a tool based on what its description says today. The server can quietly rewrite that description tomorrow to smuggle in new instructions or grab more data. Nobody re-shows you the changed page, because the protocol never wrote down what the original page said. There is no signature on the document and no rule that forces a re-read when the text changes. So you keep trusting a tool that is no longer the tool you approved.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: define the TOCTOU mechanism, name what mutates, explain the three missing spec features, contrast with tool poisoning, then cover ETDI plus host-side pinning and drift detection.
| Aspect | Tool poisoning | Rug pull |
|---|---|---|
| Timing | Malicious at first approval | Mutates after approval |
| User saw it? | Yes, but hidden text fooled them | No, change happened later |
| Spec defense | None, relies on host scanning | None, no version or hash |
| Core fix | Inspect and vet at install | Pin, diff, re-consent on drift |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Saying user approval makes a server safe forever. Approval is a snapshot at one moment; the server can mutate definitions afterward and nothing forces a second look.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.