Search papers, labs, and topics across Lattice.
This paper identifies vulnerabilities in vision-language-action (VLA) policies that utilize an imagine-then-act design, specifically targeting the world-action model (WAM) that generates latent trajectories for action conditioning. By employing a capability-based threat model, the authors demonstrate that corrupting the WAM's imagination is significantly easier than steering it to a specific target, revealing a critical asymmetry in robustness. The results show that untargeted attacks can achieve a corruption strength approximately 60 times greater than random perturbations, leading to notable task failures in imagination-driven model predictive control systems.
Corrupting the imagination in VLA policies is 60 times more effective than random perturbations, exposing a critical vulnerability in safety mechanisms.
Many recent vision-language-action (VLA) policies adopt an imagine-then-act design. A world-action model (WAM) first imagines a short future as a latent trajectory z~, on which the action is then conditioned. We identify this trusted imagination, rather than the reactive policy, as the exposed attack surface. A downstream oracle, such as a safety gate, a visual model-predictive-control (MPC) planner, or an imagine-then-check verifier, consumes z~ as a prediction of the future. The robustness of the policy therefore does not entail the robustness of systems that rely on the WAM. The underlying phenomenon is an asymmetry. Corrupting the imagination is easy, since it requires only displacing z~ from its natural-future manifold. Steering it precisely is hard, since it must reach a specified on-manifold target. We adopt a capability-based threat model with an L-infinity-bounded observation perturbation. The attacker applies projected gradient descent through the fully differentiable observation-to-imagination map. The same off-manifold property motivates a parameter-free denoiser detector. We evaluate three targets: RynnVLA-002, LingBot-VA, and LaDi-WM. Untargeted corruption is roughly 60x stronger than random and is detected at AUC 1.0. Targeted control remains bounded. An adaptive attacker evades detection only by forgoing corruption. The reactive policy remains robust to corrupted imagination. A native imagination-driven MPC, however, exhibits the first adversary-specific task failure (at epsilon=0.01, success 0.70 versus 0.05; Fisher p < 10^-4).