GateAgent GuardProtocolStandardsMCPGovGuardSovereigntyFinGuardQuorumDemoTry itVerifyPricingDocsRequest Pilot
EMILIA FIRE DRILL · REPORT
Fix PR open

bvcc-agent-mcp

money movementrepository ↗

Dangerous action found

sendNative / sendToken / swap (write capabilities)signs and broadcasts on-chain fund transfers and swaps across multiple chains from the agent wallet.

// src/server.ts  ·  capability dispatch closure (server.tool callback, ~line 141)
const result = await cap.invoke(client, rest as never);

Currently: runs unguarded — write-kind capabilities broadcast irreversible on-chain transactions; the only switch is an all-or-nothing BVCC_MCP_READONLY flag, no per-action human authorization.

Proposed fix — Receipt Required

Gate the write branch in the dispatch closure (src/server.ts:141): when cap.kind===write, require a @emilia-protocol/require-receipt authorization receipt before cap.invoke — one chokepoint covering every fund-moving tool.

Result after patch (RR-1):

1Missing receiptblocked — 428 Receipt Required
2Valid receiptsends once, receipt consumed
3Replayed receiptrefused — one-time consumption
4Forged receiptrefused — signature / action-binding fails
View the fix PR ↗What is RR-1?Receipt Required: RR-1

Scope: this is a static reference-implementation assessment of a missing human-authorization receipt on one irreversible action, derived from the repository’s public source. It is not a vulnerability report, not a claim the action is exploitable, and not auth or permissions. Maintainer active (last push 2026-06-29). Handler bodies live in the external @bvcc/agent-sdk; the in-repo seam is the dispatch closure. Report intended to go live alongside a fix PR.

Fire Drill: bvcc-agent-mcp — sendNative / sendToken / swap (write capabilities) | EMILIA | EMILIA Protocol