NUS BadWAM Attack Desynchronizes Robot World-Action Models
TL;DR
- NUS and HK PolyU researchers introduce BadWAM, a black-box attack that uses small visual perturbations to desynchronize a world-action model's executed action from its imagined future.
- The action-only variant reduces one WAM's closed-loop task success from 96.5% to 43.1% without gradients or white-box access, using zeroth-order query-based optimization.
- An imagination-preserving variant keeps the predicted future close to the clean imagination while still hijacking actions, defeating imagine-then-check safety monitors that only inspect the imagined future.
A new paper from the National University of Singapore and The Hong Kong Polytechnic University, posted to Hugging Face Papers, pokes a hole in one of the more comforting stories being told about robot foundation models. The story is that world-action models (WAMs), which couple action generation with future prediction, are safer than plain policies because a robot's action can be checked against the future it imagines. Qi Li, Xingyi Yang, and Xinchao Wang argue the check is fragile, and they built an attack called BadWAM to show why.
BadWAM introduces what the authors name a World-Action Drift Attack. It uses small, bounded visual perturbations to break the alignment between what a WAM imagines and what it executes. Two variants sit on a strength-versus-stealth spectrum. The action-only variant just maximizes deviation between clean and attacked action chunks; the imagination-preserving variant adds a Lagrangian term that keeps the predicted future close to the clean one. Both are black-box: the optimizer uses zeroth-order finite-difference queries against a frozen model, no gradients or weights required.
The headline number is the one people will quote. Under closed-loop execution, the action-only attack reduces one WAM variant from 96.5% to 43.1% task success. The authors evaluate on LIBERO and RoboTwin and report that the induced shifts concentrate on continuous action channels like translation and gripper commands, and on specific portions of the action horizon, rather than looking like uniform noise. That structure matters, because it suggests the failure mode is coupled to the model's own action decomposition, not just visual corruption.
The stealth variant is arguably the more consequential result for anyone building safety layers on top of WAMs. Recent work has treated the imagined future as a signal that a monitor can inspect to decide whether an action is safe to execute. BadWAM's imagination-preserving attack explicitly targets that assumption: it degrades executed actions while keeping the visualized future close to the clean rollout, so an imagine-then-check gate sees a plausible imagination and waves through a desynchronized action.
The honest caveat is that the paper is a security disclosure of an attack surface, not a benchmark sweep or a defense proposal. The retrieved sections lead with a single 96.5-to-43.1 result on one WAM and do not, in what I read, walk through defense candidates or full cross-model tables. What's promising is the forward move it points to: if you are shipping a WAM-based control stack, the security-critical object is the alignment between action and imagination, and that is what your next monitor should be watching, not the pretty imagined video on its own.
Originally reported by huggingface.co
Read the original article →Original headline: NUS Paper 'BadWAM' Shows Small Perturbations Desynchronize World-Action Models' Dream From Deed, Crash Task Success 96.5%→43.1%