Search papers, labs, and topics across Lattice.
This paper introduces BadWorld, an innovative adversarial framework designed to evaluate the robustness of visual world models (VWMs) against adversarial perturbations without requiring ground-truth future videos. By employing a self-supervised velocity attack and a trajectory-adaptive bi-level optimization, the authors demonstrate that visually indistinguishable adversarial images can lead to significant degradation in model performance, including incomplete denoising and structural collapse. The results underscore the vulnerability of VWMs in safety-critical applications, revealing a pressing need for enhanced robustness measures.
Visually indistinguishable adversarial images can trigger catastrophic failures in visual world models, exposing critical vulnerabilities in their deployment.
Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attackers lack ground-truth future videos and cannot predict subsequent user controls. We introduce BadWorld, a label-free adversarial framework tailored for autoregressive VWMs that systematically overcomes both constraints. First, to bypass the need for future supervision, we propose a self-supervised velocity attack that directly disrupts the early denoising dynamics of the model. Second, to ensure the attack generalizes across unpredictable user actions, we formulate a trajectory-adaptive bi-level optimization that actively mines hard control sequences to forge control-agnostic perturbations. Evaluated on representative VWMs with continuous and discrete controls, BadWorld exposes severe structural fragility. Visually indistinguishable adversarial images reliably trigger catastrophic degradation in future rollouts, leading to incomplete denoising, structural collapse, and control inconsistency. These findings reveal critical risks for deploying VWMs in safety-critical systems while highlighting a practical mechanism for privacy protection.