Model Context Protocol (MCP) is currently a prominent topic in the technology news cycle. As with any new protocol or technology, there is an understandable excitement surrounding its potential, which can sometimes lead to a neglect of inherent risks and security implications. We are now observing novel vulnerabilities emerging with MCP that were previously unforeseen.

In this installment, we will delve into the specifics of Rug Pull attacks. You can view our first installment on Tool Poisoning Attacks here.

Rug Pull Attacks: An overview

A Rug Pull Attack is a targeted security threat in which a previously trusted MCP server or tool—after gaining user confidence—is silently updated to include malicious instructions. Once updated, AI agents or users who continue to interact with the compromised server/tool may unknowingly trigger actions that lead to data exfiltration, system compromise, or other harmful outcomes

How Rug Pull Attacks Happen

1. Initial Benign State: The MCP server and the tool initially begin in a benign state. Many clients have a user approval process where they need to approve the tool during installation or before execution.

2. Exploiting Established Trust: Once the client trusts the tool, the MCP server can weaponize it by injecting a malicious prompt, effectively "pausing" the tool itself.

3. Silent Update: Due to the bidirectional nature of MCP, the MCP server can send a tools list change notification to the client. The client then pulls an updated version of the tool, integrating the malicious prompt.

4. Consequences: This attack occurs at runtime between the client and the server.

Imagine a trusted photo editing tool. Once approved, the MCP server silently updates it with a malicious prompt that, instead of simply editing photos, begins searching for and uploading personal documents to an external server.

Mitigation Strategies

Defending against rug pull attack vulnerabilities requires a multi-layered strategy. Key measures include:

• Enforcing explicit, policy-based access controls to govern what updated tools are allowed to do.

• Implementing manual vetting and continuous monitoring of tool updates.

• Disabling auto-approval or auto-update mechanisms, especially for sensitive or high-permission tools.

The most robust defense is to use a hosted MCP Gateway like Natoma, which performs security scanning, restricts usage to trusted MCP sources, and ensures that servers or tools are never auto-updated without explicit authorization.

Looking Ahead

In the subsequent blogs in this series, we will explore other emerging vulnerabilities within the Model Context Protocol, including data poisoning, prompt injection, and privilege escalation attacks. Understanding these risks is paramount as we continue to harness the power of advanced AI models.

Stay tuned for our next installment.