Adversaries corrupt the imagination in VLA agents
New work shows imagine-then-act vision–language–action agents trust a latent “imagination” that attackers can corrupt with small, gradient-based tweaks to a single camera frame. Untargeted corruption is about 60× stronger than random and can derail MPC planning, while a simple denoiser detector flags off‑manifold tampering with near‑perfect AUC.
Imagine-then-act agents don’t reason on the raw scene; they first conjure a short future in a latent and act based on that. Many pipelines also hand this imagined future to “oracles” such as safety gates, model predictive control (MPC) planners or imagine-then-check verifiers. This new paper argues the quiet part: the trusted imagination is the soft spot, not the policy.
The authors target the world–action model (WAM) that maps a single camera observation to a latent trajectory of future frames. Under a white-box, capability-based threat model, they apply projected gradient descent (PGD) through the differentiable observation-to-imagination map with an ℓ∞ budget on the input image. The goal is either untargeted corruption, which pushes the latent off its natural-future manifold, or targeted steering to a chosen on-manifold future.
Untargeted wins by a mile. Adversarial corruption beats random noise by roughly 60× and produces visibly mangled decoded futures. Worse, the damage amplifies along the imagination channel: at ϵ=0.1 they measure about 24.5× more divergence in the imagined future than in the current-frame latent. Translation: nudge the camera a little; the dreamed future goes haywire.
Because that corruption lives off-manifold, it’s loud. A parameter-free denoiser self-consistency check, using mean future-frame velocity-prediction norms, separates clean from adversarial at AUC ≈ 1.0 in their tests. Targeted control is much harder: typical progress sits around gap_closed ≈ 0.2 and decoded frames often still look like the original scene. Adaptive attackers face a hard trade-off: evading the detector means surrendering meaningful corruption.
Here’s the buried lede for practitioners: the reactive policy largely shrugs off corrupted imagination in closed loop, but a native imagination-driven MPC did not. On one evaluated task with LaDi-WM, success crashed from about 0.70 under random noise to 0.05 under adversarial perturbations at ϵ=0.01 (Fisher p < 1e-4). They also test RynnVLA-002 and LingBot-VA to probe different imagination-to-action couplings.
There are caveats. Everything runs in simulation, and that MPC failure appears on a single task with N=20. The threat model is white-box and assumes a fully differentiable path from pixels to imagination; black-box transfer isn’t explored. Under observation-space attacks the vision and imagination paths share an encoder, so clean attribution to “imagination-only” effects is constrained. Still, the asymmetry is the story: corrupting the imagined future is easy; precisely steering it isn’t. If your planner or verifier treats z~ as ground truth, you’ve built an oracle with clay feet.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
Attacking the Trusted Imagination: Oracle-Level Integrity Attacks on Imagine-then-Act World Models
🔍 ShortSpan Analysis of the Paper
Problem
This paper studies a previously underappreciated integrity risk in imagine-then-act vision-language-action systems. These systems use a learned world-action model to imagine a short latent future trajectory z~ that downstream modules such as safety gates, model-predictive-control planners or imagine-then-check verifiers trust as a prediction of the future. The paper shows that corrupting that trusted imagination is an attack surface distinct from attacking the reactive policy, and that policy robustness does not guarantee the robustness of systems that rely on the imagined latent.
Approach
The authors adopt a white-box, capability-based threat model in which an attacker perturbs a single camera observation within an ℓ∞ budget. For continuous, differentiable observation-to-imagination maps they perform projected gradient descent through the frozen encoder and world model to directly manipulate the latent imagination. They evaluate untargeted corruption (maximising divergence from the clean imagination) and targeted steering (aiming the imagination toward a chosen on-manifold target). They test three representative WAM targets spanning different imagination-to-action couplings: RynnVLA-002, LingBot-VA and LaDi-WM. They also propose a parameter-free denoiser self-consistency detector based on mean future-frame velocity-prediction norms, and evaluate adaptive attackers that trade off corruption against detector score.
Key Findings
- Untargeted corruption is far more effective than random noise: adversarial corruption exceeds random by up to about 60× and produces perceptibly damaged decoded imagined frames.
- Corruption amplifies along the imagination channel relative to the immediate observation read-out; amplification was measured at about 24.5× at ϵ=0.1, meaning the imagined future diverges much more than the current-frame latent.
- Off-manifold corruption is highly detectable: the denoiser self-consistency detector separates clean from adversarial imaginings at AUC ≈ 1.0 in experiments.
- Targeted steering is fundamentally bounded: moving the latent to a specific on-manifold target is much harder than untargeted corruption, with typical gap_closed values around 0.2 and decoded frames often remaining the original scene.
- Adaptive attackers cannot both evade the detector and produce strong corruption; evasion requires surrendering corruption, showing a trade-off between detectability and impact.
- Reactive policies remain robust to corrupted imagination in closed loop, but an imagination-driven MPC exposed to the corrupted latent suffered an adversary-specific task failure: at ϵ=0.01 success fell from about 0.70 under random noise to 0.05 under adversarial perturbation (Fisher p < 1e-4) in LaDi-WM on a single evaluated task.
Limitations
Evaluation is simulation only and the closed-loop MPC failure is reported on a single task with N=20; broader multi-task rollouts are needed. Under observation-space attacks the direct-vision and imagination-refinement paths share an encoder and cannot be fully separated, so imagination-specific attribution is constrained. Targeted steering is shown to be bounded rather than fully controllable. Some availability impact estimates were reduced after larger-scale runs.
Implications
An attacker with white-box access to a deployed WAM can steer the imagined latent via small, bounded perturbations to a single observed frame, causing downstream oracles that trust that latent to make incorrect decisions without any real-world corrective signal. Practical offensive consequences include fooling safety gates or verifiers, causing a visual MPC to select unsafe actions, or otherwise undermining any planner or decision module that treats the imagined trajectory as ground truth. The attack is especially potent when the consumer has no real-world feedback loop, and untargeted corruption is both easier and more damaging than precise steering.
