High-risk tools in VaultPilot MCP
39 of the 189 tools in VaultPilot MCP are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
build_incident_reportExecuteBuild a forensic incident-report bundle for a security review or disclosure. Read-only — gathers evidence already available to the server (demo-mode state, paired Ledger summary...
-
exit_demo_modeExecuteBuild a step-by-step guide for the user to exit demo mode and switch to operational (real signing) mode. The MCP server CANNOT actually unset VAULTPILOT_DEMO or invoke the setup...
-
prepare_aave_borrowExecuteBuild an unsigned Aave V3 borrow transaction (variable rate — stable rate is deprecated and reverts on production markets). The borrower must already have sufficient collateral ...
-
prepare_aave_repayExecuteBuild an unsigned Aave V3 repay transaction. If an ERC-20 approve() is required first, it is returned as the outer tx and repay is in `.next`. Pass `amount: "max"` to repay the ...
-
prepare_aave_supplyExecuteBuild an unsigned Aave V3 supply transaction. If an ERC-20 approve() is required first, it is returned as the outer tx and the supply tx is embedded in `.next`. Both must be sig...
-
prepare_compound_borrowExecuteBuild an unsigned Compound V3 borrow transaction. Compound V3 encodes a borrow as `withdraw(baseToken)` drawn beyond the wallet's supplied balance — the base token is resolved o...
-
prepare_compound_repayExecuteBuild an unsigned Compound V3 repay transaction — encoded as supply(baseToken) against an outstanding borrow. Includes an approve step if needed. Pass `amount: "max"` for a full...
-
prepare_compound_supplyExecuteBuild an unsigned Compound V3 supply transaction (base token or collateral). If an ERC-20 approve() is required first, it is returned as the outer tx with supply in `.next`.
-
prepare_curve_swapExecuteBuild an unsigned Curve swap on Ethereum. Issue #615. Supports the canonical legacy stETH/ETH pool (0xDC24316b9AE028F1497c275EB9192a3Ea0f67022 — historically the tightest-spread...
-
prepare_custom_callExecuteESCAPE HATCH for arbitrary EVM contract calls — Timelock proposals, governance hooks, DAO ops, anything not covered by a protocol-specific `prepare_*`. BYPASSES the canonical-di...
-
prepare_kamino_borrowExecuteBuild a Kamino borrow tx — pulls liquidity from a reserve as debt against the obligation's existing collateral. Refuses if the wallet hasn't run prepare_kamino_init_user; refuse...
-
prepare_kamino_supplyExecuteBuild a Kamino deposit (supply) tx. Refuses if the wallet doesn't have Kamino userMetadata + obligation already initialized — run prepare_kamino_init_user first. Validates that ...
-
prepare_lido_stakeExecuteBuild an unsigned Lido stake transaction (wraps ETH into stETH via stETH.submit). The tx's value field is the ETH amount to stake.
-
prepare_lido_unstakeExecuteBuild an unsigned Lido withdrawal request transaction. Wraps `requestWithdrawals` on the Lido Withdrawal Queue and includes an approve step if needed.
-
prepare_lido_unwrapExecuteBuild an unsigned wstETH.unwrap transaction that converts wstETH (non-rebasing) back into stETH (rebasing). No approval needed — burns wstETH from the caller's balance.
-
prepare_lido_wrapExecuteBuild an unsigned wstETH.wrap transaction that converts stETH (rebasing) into wstETH (non-rebasing). 1:1 by share count, no DEX fee. Includes an stETH approve step to the wstETH...
-
prepare_marginfi_repayExecuteBuild an unsigned MarginFi REPAY tx against outstanding debt in the named bank. Pass `repayAll: true` to repay the full outstanding debt (also clears the balance slot). DURABLE ...
-
prepare_marginfi_supplyExecuteBuild an unsigned MarginFi SUPPLY tx for a given bank (by symbol or mint). Supplies the specified amount of the underlying token into the user's MarginfiAccount position in that...
-
prepare_marinade_unstake_immediateExecuteBuild an unsigned Marinade IMMEDIATE liquid-unstake tx: burn `amountMSol` mSOL and receive SOL in the same tx via Marinade's liquidity pool (NOT delayed-unstake / OrderUnstake —...
-
prepare_morpho_borrowExecuteBuild an unsigned Morpho Blue borrow transaction. Requires pre-existing collateral in the market.
-
prepare_morpho_repayExecuteBuild an unsigned Morpho Blue repay transaction. Includes an approve step if needed. Explicit amount only — "max" is not supported.
-
prepare_morpho_supplyExecuteBuild an unsigned Morpho Blue supply transaction — deposits the market's loan token to earn lending yield. Market params (loan/collateral tokens, oracle, IRM, LLTV) are resolved...
-
prepare_morpho_supply_collateralExecuteBuild an unsigned Morpho Blue supplyCollateral transaction — adds collateral to a market. Includes an approve step if needed.
-
prepare_native_stake_deactivateExecuteBuild an unsigned native-stake deactivate tx. Initiates the one-epoch (~2-3 days) cooldown after which the stake becomes withdrawable; the stake earns no rewards during deactiva...
-
prepare_native_stake_delegateExecuteBuild an unsigned native-stake-program tx that creates a fresh stake account at a deterministic address (derived per (wallet, validator) via createAccountWithSeed) and delegates...
-
prepare_rocketpool_stakeExecuteBuild an unsigned Rocket Pool stake transaction (RocketDepositPool.deposit() payable, mints rETH at the current exchange rate). Ethereum mainnet only — rETH on L2s is bridged an...
-
prepare_rocketpool_unstakeExecuteBuild an unsigned Rocket Pool unstake transaction (rETH.burn(uint256), redeems rETH for ETH from on-protocol collateral). No approval needed — burn operates on caller's balance....
-
prepare_safe_tx_executeExecuteBuild the final on-chain `execTransaction` UnsignedTx that lands a Safe (Gnosis Safe) multisig payload. The executor doesn't need to have pre-approved on-chain — when `msg.sende...
-
prepare_solana_lifi_swapExecuteBuild an unsigned LiFi-routed swap or bridge with Solana as the source chain. Returns a Solana v0 tx the user signs on Ledger. Two flows share this surface: (1) IN-CHAIN swap wh...
-
prepare_tron_claim_rewardsExecuteBuild an unsigned TRON WithdrawBalance transaction that claims accumulated voting rewards to the owner's balance. TRON enforces a 24-hour cooldown between claims — TronGrid will...
-
prepare_tron_freezeExecuteBuild an unsigned TRON Stake 2.0 FreezeBalanceV2 transaction. Locks TRX to earn `bandwidth` (fuels plain transfers) or `energy` (fuels smart-contract calls) and gains proportion...
-
prepare_tron_unfreezeExecuteBuild an unsigned TRON Stake 2.0 UnfreezeBalanceV2 transaction — begins the 14-day cooldown on a previously-frozen slice. The `amount` must not exceed what's currently frozen fo...
-
prepare_uniswap_v3_collectExecuteBuild an unsigned Uniswap V3 LP collect transaction — harvests every token the position is owed (decreased liquidity from prior `prepare_uniswap_v3_decrease_liquidity` calls + a...
-
prepare_uniswap_v3_decrease_liquidityExecuteBuild an unsigned Uniswap V3 LP decreaseLiquidity transaction — removes liquidity from an existing position by tokenId. Pass `liquidityPct: 100` for a full close-out (typical fo...
-
prepare_uniswap_v3_increase_liquidityExecuteBuild an unsigned Uniswap V3 LP increaseLiquidity transaction — adds liquidity to an existing position identified by `tokenId`. Reads the position's (token0, token1, fee, tickLo...
-
prepare_uniswap_v3_rebalanceExecuteBuild an unsigned Uniswap V3 LP rebalance transaction — moves a position from its current tick range to a new one in a single multicall. Composes (in order): decreaseLiquidity(1...
-
rescan_btc_accountExecuteREAD-ONLY — refresh the cached on-chain `txCount` for every paired Bitcoin address under one Ledger account by re-querying the indexer. Pure indexer-side: NO Ledger / USB intera...
-
rescan_ltc_accountExecuteREAD-ONLY — refresh the cached on-chain `txCount` for every paired Litecoin address under one Ledger account by re-querying the indexer. Pure indexer-side: NO Ledger / USB inter...
-
simulate_transactionExecuteRun an eth_call against the chain's RPC to simulate a transaction without signing or broadcasting it. Returns `{ ok, returnData?, revertReason? }`. Use this BEFORE prepare_*/sen...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.