Build an unsigned Jupiter-routed swap DRAFT. Takes the quote object returned by get_solana_swap_quote and calls Jupiter's /swap-instructions endpoint to get the deconstructed instruction list, then composes the final v0 tx: [nonceAdvance, ...computeBudget, ...setup, swap, cleanup?, ...other]. DUR...
AI agents call prepare_solana_swap to permanently remove resources in VaultPilot MCP — typically in cleanup and lifecycle workflows. It does its job in a single call, and there is no undo.
| Parameter | Type | Required | Description |
|---|---|---|---|
quote | object | Yes | The full `quote` object returned by get_solana_swap_quote. Pass it back verbatim — Jupiter computes a signature over the quote and rejects /swap-instructions if |
wallet | string | Yes | Solana wallet executing the swap. Must have an initialized durable-nonce account — run prepare_solana_nonce_init first if not set up yet. |
prioritizationFeeLamports | integer | — | Optional priority fee in lamports. Omit to let Jupiter pick based on the local fee market (recommended). |
Parameters from the server's own tool schema.
An AI agent that decides to call prepare_solana_swap doesn't hesitate, doesn't double-check, and doesn't stop at one. Whatever it removes from VaultPilot MCP is gone — there is no undo for destructive operations.
Attacks that exploit this kind of access
Build an unsigned Jupiter-routed swap DRAFT. Takes the quote object returned by get_solana_swap_quote and calls Jupiter's /swap-instructions endpoint to get the deconstructed instruction list, then composes the final v0 tx: [nonceAdvance, ...computeBudget, ...setup, swap, cleanup?, ...other]. DURABLE NONCE REQUIRED — if the wallet hasn't run prepare_solana_nonce_init, this errors pointing to it. Uses v0 VersionedTransaction with Address Lookup Tables (Jupiter routes commonly exceed legacy-tx account limits). Returns a compact preview + opaque handle; NOT yet signable — when the user says 'send', call preview_solana_send(handle) to pin the current nonce value, then send_transaction. BLIND-SIGN REQUIRED on Ledger (Jupiter's program ID isn't in the Solana app's clear-sign registry), so the user must match the Message Hash on-device — surfaced in the CHECKS block emitted by preview_solana_send. It is categorised as a Destructive tool in the VaultPilot MCP MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
prepare_solana_swap accepts 3 parameters: quote, wallet, prioritizationFeeLamports. Required: quote, wallet. The full parameter table on this page comes from the server's own tool schema.
Register the VaultPilot MCP server in PolicyLayer and add a rule for prepare_solana_swap: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches VaultPilot MCP. Nothing to install.
prepare_solana_swap is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the prepare_solana_swap rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for prepare_solana_swap. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
prepare_solana_swap is provided by the VaultPilot MCP server (vaultpilot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.