🤖 AI Summary
Current visual world models exhibit insufficient robustness under adversarial perturbations, and conventional attacks rely on ground-truth future videos and predictable user controls, limiting their effectiveness in evaluating model vulnerabilities. This work proposes BadWorld, a novel framework that enables, for the first time, label-free adversarial attacks on visual world models. By introducing a self-supervised velocity-based attack to disrupt early-stage denoising and employing trajectory-adaptive bilevel optimization to discover challenging control sequences, BadWorld generates visually imperceptible, control-agnostic perturbations. This approach eliminates dependence on future supervision and action predictability, significantly degrading model performance under both continuous and discrete control settings—manifested as denoising failure, structural collapse, and control inconsistency—thereby exposing fundamental structural weaknesses in visual world models.
📝 Abstract
Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attackers lack ground-truth future videos and cannot predict subsequent user controls. We introduce BadWorld, a label-free adversarial framework tailored for autoregressive VWMs that systematically overcomes both constraints. First, to bypass the need for future supervision, we propose a self-supervised velocity attack that directly disrupts the early denoising dynamics of the model. Second, to ensure the attack generalizes across unpredictable user actions, we formulate a trajectory-adaptive bi-level optimization that actively mines hard control sequences to forge control-agnostic perturbations. Evaluated on representative VWMs with continuous and discrete controls, BadWorld exposes severe structural fragility. Visually indistinguishable adversarial images reliably trigger catastrophic degradation in future rollouts, leading to incomplete denoising, structural collapse, and control inconsistency. These findings reveal critical risks for deploying VWMs in safety-critical systems while highlighting a practical mechanism for privacy protection.