Critical-risk tools in VaultPilot MCP
34 of the 189 tools in VaultPilot MCP are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
combine_btc_psbtsDestructiveMerge 2-15 partial PSBTs from multi-sig cosigners into one whose inputs carry every cosigner's signature. Each entry must be a base64-encoded PSBT v0 sharing the same unsigned t...
-
prepare_btc_lifi_swapDestructiveBuild an unsigned Bitcoin PSBT-v0 that bridges native BTC to a token on another chain via LiFi's aggregator. LiFi auctions the route across intent solvers (NEAR Intents, Garden,...
-
prepare_btc_rbf_bumpDestructiveBuild a BIP-125 Replace-By-Fee replacement for a stuck mempool BTC tx. Reuses the original tx's exact input set, preserves every recipient verbatim, and shrinks the change outpu...
-
prepare_jito_stakeDestructiveBuild an unsigned Jito stake-pool deposit tx: deposit `amountSol` SOL into Jito's stake pool and receive jitoSOL (Jito's liquid-staking token). Uses the SPL stake-pool program's...
-
prepare_kamino_init_userDestructiveFirst-time Kamino setup. Creates the user lookup table + userMetadata PDA + obligation PDA (VanillaObligation, tag 0) on Kamino's main market in a single tx. ONE-TIME — required...
-
prepare_kamino_repayDestructiveBuild a Kamino repay tx — pays down outstanding debt in the named reserve. Refuses with a clear error if the wallet has no debt in the reserve. The on-chain program clamps repay...
-
prepare_marginfi_borrowDestructiveBuild an unsigned MarginFi BORROW tx against the user's supplied collateral. Pre-flight refuses if the account has zero free collateral. The SDK computes the required oracle-ref...
-
prepare_marginfi_initDestructiveOne-time setup: build a tx that creates a deterministic MarginfiAccount PDA under the user's wallet on MarginFi mainnet. Uses `marginfi_account_initialize_pda` so only the walle...
-
prepare_marinade_stakeDestructiveBuild an unsigned Marinade stake tx: deposit `amountSol` SOL into Marinade and receive mSOL (Marinade's liquid-staking token). Uses the Marinade SDK's `marinade.deposit` so the ...
-
prepare_revoke_approvalDestructiveBuild an unsigned `approve(spender, 0)` transaction that revokes the allowance the wallet previously granted to `spender` on `token`. Pre-flight check refuses when the live allo...
-
prepare_solana_swapDestructiveBuild an unsigned Jupiter-routed swap DRAFT. Takes the `quote` object returned by `get_solana_swap_quote` and calls Jupiter's /swap-instructions endpoint to get the deconstructe...
-
prepare_sunswap_swapDestructiveBuild an unsigned SunSwap V2 same-chain swap on TRON. SunSwap V2 is a Uniswap-V2 fork; this tool routes through the V2 router (TNJVzGqKBWkJxJB5XYSqGAwUTV15U24pPq) using the stan...
-
prepare_swapDestructivePrepare an unsigned swap or bridge transaction via LiFi aggregator. Same-chain swaps use the best DEX route; cross-chain swaps use a bridge + DEX combo. Default is exact-in (`am...
-
prepare_tron_lifi_swapDestructiveBuild an unsigned LiFi-routed cross-chain bridge with TRON as the source chain. User signs a TRON tx via Ledger over USB; the bridge protocol delivers tokens on the destination ...
-
prepare_uniswap_swapDestructivePrepare a direct Uniswap V3 swap (bypasses LiFi aggregator). Use this ONLY when the user explicitly asks for Uniswap — otherwise default to `prepare_swap` which compares routes ...
-
prepare_uniswap_v3_burnDestructiveBuild an unsigned Uniswap V3 LP burn transaction — destroys the position NFT (irreversible). Hard-refuses unless the position is fully drained: `liquidity == 0` AND `tokensOwed{...
-
prepare_uniswap_v3_mintDestructiveBuild an unsigned Uniswap V3 LP mint transaction — opens a new concentrated-liquidity position on the (tokenA, tokenB, feeTier) pool, bounded by [tickLower, tickUpper]. Up to tw...
-
prepare_weth_unwrapDestructiveBuild an unsigned WETH → native ETH unwrap transaction via a direct `WETH.withdraw(uint256)` call on the canonical WETH9 contract for the target chain. Supported chains: ethereu...
-
remove_contactDestructiveRemove a labeled contact. Without `chain`, removes the label from EVERY chain that has it (one device interaction per chain when removing a signed entry). With `chain`, removes ...
-
request_capabilityDestructiveFile a capability request against the vaultpilot-mcp GitHub repository when the user asks for something this server cannot do (e.g. an unsupported protocol, chain, token, or mis...
-
revoke_readonly_inviteDestructiveRevoke a previously-generated read-only share invite by `name`. Marks the issuer-side record as revoked at the current time. Important caveat (Model A): this is issuer-side BOOK...
-
sign_message_btcDestructiveSign a UTF-8 message with a paired Bitcoin address using the Bitcoin Signed Message format (BIP-137). Returns a base64-encoded compact signature with a header byte that matches ...
-
sign_message_ltcDestructiveSign a UTF-8 message with a paired Litecoin address using the BIP-137 compact-signature scheme (with Litecoin's `\x19Litecoin Signed Message:\n` prefix). Returns the signature p...
-
unregister_btc_multisig_walletDestructiveDrop a registered multi-sig wallet from the local cache. The Ledger device retains the policy HMAC indefinitely (no on-device unregister API), so re-registering with the SAME de...
-
finalize_btc_psbtFinancialFinalize a fully-signed multi-sig PSBT (typically the output of `combine_btc_psbts` once the threshold is met) and extract the broadcast-ready tx hex. Refuses with a per-input b...
-
prepare_aave_withdrawFinancialBuild an unsigned Aave V3 withdraw transaction. Pass `amount: "max"` to withdraw the entire aToken balance.
-
prepare_compound_withdrawFinancialBuild an unsigned Compound V3 withdraw transaction. Pass `amount: "max"` to withdraw the full supplied balance.
-
prepare_eigenlayer_depositFinancialBuild an unsigned EigenLayer StrategyManager.depositIntoStrategy transaction. Includes an ERC-20 approve step if needed.
-
prepare_kamino_withdrawFinancialBuild a Kamino withdraw tx — pulls liquidity out of a previously-supplied reserve. Refuses with a clear error if the wallet has no deposit in the named reserve. Health-factor ga...
-
prepare_marginfi_withdrawFinancialBuild an unsigned MarginFi WITHDRAW tx. Withdraws the specified amount (or ALL, via `withdrawAll: true`) from the user's supplied position in the named bank. Pre-flight refuses ...
-
prepare_morpho_withdrawFinancialBuild an unsigned Morpho Blue withdraw transaction (withdraws supplied loan token). Explicit amount only — "max" is not supported; query your position first.
-
prepare_morpho_withdraw_collateralFinancialBuild an unsigned Morpho Blue withdrawCollateral transaction — removes collateral from a market to send back to the wallet. Only withdraws the exact amount specified; `"max"` is...
-
prepare_native_stake_withdrawFinancialBuild an unsigned native-stake withdraw tx. Pulls `amountSol` SOL (or 'max' for the full lamport balance) from an inactive stake account back into the wallet. 'max' closes the a...
-
prepare_tron_withdraw_expire_unfreezeFinancialBuild an unsigned TRON WithdrawExpireUnfreeze transaction — sweeps every matured unfreeze slice (those whose 14-day cooldown elapsed) back to liquid TRX. No amount needed; the c...
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.