🚨 We introduce <strong>BadWorld</strong>, a label-free adversarial attack for visual world models.</p>\n<p>Starting from a single perturbed context image 🖼️, BadWorld can break down model's future predictions, even under user controls it has never seen before 🎮.</p>\n<p>This exposes serious robustness risks in today’s visual world models.</p>\n","updatedAt":"2026-06-16T03:29:31.645Z","author":{"_id":"634cfebc350bcee9bed20a4d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/634cfebc350bcee9bed20a4d/fN47nN5rhw-HJaFLBZWQy.png","fullname":"Xingyi Yang","name":"adamdad","type":"user","isPro":false,"isHf":false,"isHfAdmin":false,"isMod":false,"followerCount":26,"isUserFollowing":false}},"numEdits":0,"identifiedLanguage":{"language":"en","probability":0.7835062742233276},"editors":["adamdad"],"editorAvatarUrls":["https://cdn-avatars.huggingface.co/v1/production/uploads/634cfebc350bcee9bed20a4d/fN47nN5rhw-HJaFLBZWQy.png"],"reactions":[],"isReport":false}}],"primaryEmailConfirmed":false,"paper":{"id":"2606.16519","authors":[{"_id":"6a30bfbfa0d4daae4285fed7","name":"Linghui Shen","hidden":false},{"_id":"6a30bfbfa0d4daae4285fed8","name":"Mingyue Cui","hidden":false},{"_id":"6a30bfbfa0d4daae4285fed9","user":{"_id":"634cfebc350bcee9bed20a4d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/634cfebc350bcee9bed20a4d/fN47nN5rhw-HJaFLBZWQy.png","isPro":false,"fullname":"Xingyi Yang","user":"adamdad","type":"user","name":"adamdad"},"name":"Xingyi Yang","status":"claimed_verified","statusLastChangedAt":"2026-06-16T12:06:59.048Z","hidden":false}],"mediaUrls":["https://cdn-uploads.huggingface.co/production/uploads/634cfebc350bcee9bed20a4d/0LRrO1eRQrwD8x3gmHMar.mp4"],"publishedAt":"2026-06-15T00:00:00.000Z","submittedOnDailyAt":"2026-06-16T00:00:00.000Z","title":"BadWorld: Adversarial Attacks on World Models","submittedOnDailyBy":{"_id":"634cfebc350bcee9bed20a4d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/634cfebc350bcee9bed20a4d/fN47nN5rhw-HJaFLBZWQy.png","isPro":false,"fullname":"Xingyi Yang","user":"adamdad","type":"user","name":"adamdad"},"summary":"Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attackers lack ground-truth future videos and cannot predict subsequent user controls. We introduce BadWorld, a label-free adversarial framework tailored for autoregressive VWMs that systematically overcomes both constraints. First, to bypass the need for future supervision, we propose a self-supervised velocity attack that directly disrupts the early denoising dynamics of the model. Second, to ensure the attack generalizes across unpredictable user actions, we formulate a trajectory-adaptive bi-level optimization that actively mines hard control sequences to forge control-agnostic perturbations. Evaluated on representative VWMs with continuous and discrete controls, BadWorld exposes severe structural fragility. Visually indistinguishable adversarial images reliably trigger catastrophic degradation in future rollouts, leading to incomplete denoising, structural collapse, and control inconsistency. These findings reveal critical risks for deploying VWMs in safety-critical systems while highlighting a practical mechanism for privacy protection.","upvotes":14,"discussionId":"6a30bfbfa0d4daae4285feda","projectPage":"https://linghuiishen.github.io/BadWorld/","githubRepo":"https://github.com/LinghuiiShen/BadWorld","githubRepoAddedBy":"user","ai_summary":"BadWorld is a label-free adversarial framework that reveals structural vulnerabilities in visual world models by generating imperceptible perturbations that cause catastrophic failures in future rollouts.","ai_keywords":["visual world models","adversarial perturbations","autoregressive models","self-supervised velocity attack","trajectory-adaptive bi-level optimization","control-agnostic perturbations","future rollouts","denoising dynamics","structural fragility"],"ai_summary_model":"Qwen/Qwen2.5-Coder-32B-Instruct","githubStars":3,"organization":{"_id":"646ecc368d316fde87b3b6e3","name":"PolyUHK","fullname":"The Hong Kong Polytechnic University","avatar":"https://cdn-avatars.huggingface.co/v1/production/uploads/646ecbc0cbb7bb996513e298/Akb4zKqIP9kb9PQoUPUmj.jpeg"}},"canReadDatabase":false,"canManagePapers":false,"canSubmit":false,"hasHfLevelAccess":false,"upvoted":false,"upvoters":[{"_id":"634cfebc350bcee9bed20a4d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/634cfebc350bcee9bed20a4d/fN47nN5rhw-HJaFLBZWQy.png","isPro":false,"fullname":"Xingyi Yang","user":"adamdad","type":"user"},{"_id":"687912c6333c3bc283c92840","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/no-auth/2liMvKYwnE2xNGmpE_GwW.png","isPro":false,"fullname":"Shen Linghui","user":"Alsaaaaaaa","type":"user"},{"_id":"6944c67d110eda2bef24aeda","avatarUrl":"/avatars/387da224b2045bc6dc36fee35ee5c533.svg","isPro":false,"fullname":"Seo","user":"hyeeeee","type":"user"},{"_id":"6944ceba6bedf03d6bf9b9db","avatarUrl":"/avatars/391e917b872b6a811b97a0abf810da82.svg","isPro":false,"fullname":"Dan Zhen","user":"DanZhen","type":"user"},{"_id":"6039478ab3ecf716b1a5fd4d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/6039478ab3ecf716b1a5fd4d/_Thy4E7taiSYBLKxEKJbT.jpeg","isPro":true,"fullname":"taesiri","user":"taesiri","type":"user"},{"_id":"68c98942b3ce15f74bedde2e","avatarUrl":"/avatars/3e575e9b8c2655ba011915983e9f6bab.svg","isPro":false,"fullname":"CUI","user":"Mirror3050","type":"user"},{"_id":"6944c26b5fa5a3b25029768f","avatarUrl":"/avatars/58884ee665e61be7453c336c86c75f35.svg","isPro":false,"fullname":"CUI Mingyue","user":"Mingyueee","type":"user"},{"_id":"694544da318574a19e06312f","avatarUrl":"/avatars/47b40b09a248e0dbce1e7e199500f912.svg","isPro":false,"fullname":"Wei Zhijia","user":"WeiZhijia0123","type":"user"},{"_id":"665ebae8bcbb98f60db0b4b1","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/665ebae8bcbb98f60db0b4b1/YTKM4qTZXh_2SeU8U7BfB.webp","isPro":false,"fullname":"Jiale Zhao","user":"Heisenburger2000","type":"user"},{"_id":"668e740f1173ab43d9d9ed5e","avatarUrl":"/avatars/caa9b47c2a5f6d6d679759b8b234a0ab.svg","isPro":false,"fullname":"Zeqing Wang","user":"INV-WZQ","type":"user"},{"_id":"6729d1fed3ec5370cb035901","avatarUrl":"/avatars/50f7ce9c635148df76d1c63ebf3efa38.svg","isPro":false,"fullname":"1","user":"DANNY621","type":"user"},{"_id":"69f818fdae61c8cd1c45cc5d","avatarUrl":"/avatars/8c26efac765c159d9630d737baab724d.svg","isPro":false,"fullname":"sightact-bench","user":"sightact-bench","type":"user"}],"acceptLanguages":["en"],"dailyPaperRank":0,"organization":{"_id":"646ecc368d316fde87b3b6e3","name":"PolyUHK","fullname":"The Hong Kong Polytechnic University","avatar":"https://cdn-avatars.huggingface.co/v1/production/uploads/646ecbc0cbb7bb996513e298/Akb4zKqIP9kb9PQoUPUmj.jpeg"},"markdownContentUrl":"https://huggingface.co/buckets/huggingchat/papers-content/resolve/2606/2606.16519.md","query":{}}">
BadWorld: Adversarial Attacks on World Models
Abstract
BadWorld is a label-free adversarial framework that reveals structural vulnerabilities in visual world models by generating imperceptible perturbations that cause catastrophic failures in future rollouts.
Visual world models (VWMs) synthesize interactive, action-conditioned rollouts from a single context image. However, it remains an open question how robust these models are to adversarial perturbations. Standard adversarial attacks fail to assess this vulnerability because attackers lack ground-truth future videos and cannot predict subsequent user controls. We introduce BadWorld, a label-free adversarial framework tailored for autoregressive VWMs that systematically overcomes both constraints. First, to bypass the need for future supervision, we propose a self-supervised velocity attack that directly disrupts the early denoising dynamics of the model. Second, to ensure the attack generalizes across unpredictable user actions, we formulate a trajectory-adaptive bi-level optimization that actively mines hard control sequences to forge control-agnostic perturbations. Evaluated on representative VWMs with continuous and discrete controls, BadWorld exposes severe structural fragility. Visually indistinguishable adversarial images reliably trigger catastrophic degradation in future rollouts, leading to incomplete denoising, structural collapse, and control inconsistency. These findings reveal critical risks for deploying VWMs in safety-critical systems while highlighting a practical mechanism for privacy protection.
Community
🚨 We introduce BadWorld, a label-free adversarial attack for visual world models.
Starting from a single perturbed context image 🖼️, BadWorld can break down model's future predictions, even under user controls it has never seen before 🎮.
This exposes serious robustness risks in today’s visual world models.
Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.
Tap or paste here to upload images
Cite arxiv.org/abs/2606.16519 in a model README.md to link it from this page.
Cite arxiv.org/abs/2606.16519 in a dataset README.md to link it from this page.
Cite arxiv.org/abs/2606.16519 in a Space README.md to link it from this page.
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.