Build an unsigned Bitcoin PSBT-v0 that bridges native BTC to a token on another chain via LiFi's aggregator. LiFi auctions the route across intent solvers (NEAR Intents, Garden, Thorswap, Chainflip, Symbiosis, …) and returns a PSBT depositing to the chosen solver's vault address with an OP_RETURN...
AI agents call prepare_btc_lifi_swap to permanently remove resources in VaultPilot MCP — typically in cleanup and lifecycle workflows. It does its job in a single call, and there is no undo.
| Parameter | Type | Required | Description |
|---|---|---|---|
amount | string | Yes | Decimal BTC string (up to 8 fractional digits, e.g. "0.005"). "max" is NOT supported — bridges commit to an exact deposit amount via the OP_RETURN memo at quote |
wallet | string | Yes | Paired Bitcoin source address. Phase 1 source-side scope: native segwit (`bc1q…`) and taproot (`bc1p…`) only. Multi-source consolidation is out of scope here — |
toChain | string | Yes | Destination chain. EVM `SupportedChain` (ethereum/arbitrum/polygon/base/optimism) for an EVM bridge, or `"solana"` for native SOL/SPL delivery. TRON is NOT rout |
toToken | string | Yes | Destination token. EVM hex when `toChain` is EVM; SPL mint (base58) when `toChain === "solana"`. `"native"` resolves to the chain's conventional native sentinel |
toAddress | string | Yes | Destination wallet — REQUIRED. The Bitcoin source address is not a valid recipient on any destination chain. Format must match the destination (Solana base58 fo |
slippageBps | integer | — | Slippage tolerance in basis points (50 = 0.5%, 100 = 1%). Default ~50. Hard-capped at 500 (5%); above 100 (1%) requires `acknowledgeHighSlippage: true` to opt i |
acknowledgeHighSlippage | boolean | — | Required when `slippageBps > 100`. Mirrors the `prepare_swap` guard — forces the caller to state that an unusually-high slippage is intentional. |
Parameters from the server's own tool schema.
An AI agent that decides to call prepare_btc_lifi_swap doesn't hesitate, doesn't double-check, and doesn't stop at one. Whatever it removes from VaultPilot MCP is gone — there is no undo for destructive operations.
Risk signalsBulk/mass operation — affects multiple targets
Attacks that exploit this kind of access
Build an unsigned Bitcoin PSBT-v0 that bridges native BTC to a token on another chain via LiFi's aggregator. LiFi auctions the route across intent solvers (NEAR Intents, Garden, Thorswap, Chainflip, Symbiosis, …) and returns a PSBT depositing to the chosen solver's vault address with an OP_RETURN memo committing to the cross-chain destination. Destinations: every EVM chain (ethereum/arbitrum/polygon/base/optimism) and Solana — TRON has no LiFi route from BTC and is rejected. Source-side scope (Phase 1, mirrors prepare_btc_send): native segwit and taproot only. Returns a 15-min handle the agent forwards to send_transaction; the Ledger BTC app clear-signs every output (vault deposit + OP_RETURN + change-back-to-source + LiFi fee output) on-screen, so there is NO blind-sign hash to pre-match in chat. The verification block surfaces the vault address, OP_RETURN bytes (hex + ASCII prefix), expected and minimum output on the destination, slippage, the chosen solver, and execution duration estimate. Server-side checks before forwarding: every PSBT input belongs to the source address, exactly one OP_RETURN output is present, the deposit output address matches the LiFi-advertised vault, and nonWitnessUtxo is hydrated on every input (Ledger 2.x rejects segwit/taproot inputs without it). It is categorised as a Destructive tool in the VaultPilot MCP MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
prepare_btc_lifi_swap accepts 7 parameters: amount, wallet, toChain, toToken, toAddress, slippageBps, acknowledgeHighSlippage. Required: amount, wallet, toChain, toToken, toAddress. The full parameter table on this page comes from the server's own tool schema.
Register the VaultPilot MCP server in PolicyLayer and add a rule for prepare_btc_lifi_swap: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches VaultPilot MCP. Nothing to install.
prepare_btc_lifi_swap is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the prepare_btc_lifi_swap rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for prepare_btc_lifi_swap. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
prepare_btc_lifi_swap is provided by the VaultPilot MCP server (vaultpilot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.