What is a rug pull attack in MCP and why does the current spec offer no defense?
Describe the rug pull attack in MCP: what happens, why it is possible, and why the current protocol specification cannot prevent it.
A rug pull is a time of check vs time of use attack: the server mutates an approved tool's description or schema after you consented, and MCP defines no hash, version, or re-consent to catch it.
Imagine you sign a contract after reading it carefully, then hand it back. The other party swaps in a different page when you are not looking, and the deal now says something you never agreed to. With MCP, you approve a tool based on what its description says today. The server can quietly rewrite that description tomorrow to smuggle in new instructions or grab more data. Nobody re-shows you the changed page, because the protocol never wrote down what the original page said. There is no signature on the document and no rule that forces a re-read when the text changes. So you keep trusting a tool that is no longer the tool you approved.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: define the TOCTOU mechanism, name what mutates, explain the three missing spec features, contrast with tool poisoning, then cover ETDI plus host-side pinning and drift detection.
| Aspect | Tool poisoning | Rug pull |
|---|---|---|
| Timing | Malicious at first approval | Mutates after approval |
| User saw it? | Yes, but hidden text fooled them | No, change happened later |
| Spec defense | None, relies on host scanning | None, no version or hash |
| Core fix | Inspect and vet at install | Pin, diff, re-consent on drift |
Real products, models, and research that use this idea.
- Invariant Labs demonstrated tool poisoning and rug pull style description swaps against real MCP servers in 2025, prompting host-side scanning.
- The OWASP MCP Top 10 published in 2025 lists post-approval tool mutation as a named supply-chain risk for agent stacks.
- Hosts like Claude Code and Cursor pin and re-present changed tool definitions, since the core protocol gives them no integrity guarantee.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you detect a rug pull in production without protocol-level signing?
QWhy does the same vulnerability class extend to resources and prompts, not just tools?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Saying user approval makes a server safe forever. Approval is a snapshot at one moment; the server can mutate definitions afterward and nothing forces a second look.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.