- The paper presents AutoRedTrader, a framework that autonomously injects synthetic, finance-specific misinformation to reveal vulnerabilities in LLM-based trading agents.
- The paper develops a compositional attack pipeline using cognitive biases, minor semantic perturbations, and style-controlled rewriting to systematically manipulate agent decisions.
- The evaluation shows that even advanced agents with grounding are susceptible to attacks, with a success rate up to 26.67%, highlighting the need for robust defenses.
Problem Setting and Motivation
The proliferation of LLM-based financial agents—models that make sequential trading and prediction decisions by integrating both structured market data and unstructured textual signals—introduces a novel, systemic vulnerability. Unlike overtly false or fabricated content, most harmful financial misinformation manifests as subtle perturbations in authentic-looking news, sentiment nuances, or framing shifts. This subtlety complicates detection, with small shifts in textual inputs causing non-localized, long-horizon drifts in agent policy—potentially impacting trading returns, risk assessment, and position management without crossing explicit semantic boundaries.
Existing red-teaming frameworks predominantly focus on safety violations or jailbreak attacks, largely scoped to one-off, context-agnostic prompts, and fail to capture the cumulative, sequential, and often reference-free nature of financial misinformation. Moreover, contemporary agent simulation environments for market AI ignore adversarial robustness, assuming downstream filtering is sufficient despite the absence of defense mechanisms tailored to this subtle class of attacks.
AutoRedTrader Framework
To address these limitations, AutoRedTrader constitutes an autonomous red-teaming pipeline tailored for probing LLM-based financial agents by injecting synthetic, finance-specific misinformation constructed to mimic realistic adversarial threats. The framework comprises several tightly integrated modules:
Simulation and Evaluation Protocol
The evaluation is situated within a POMDP-based agent simulation framework, leveraging the architecture from InvestorBench/FinMem, with modules for structured market perception, layered memory, and sequential action profiles. Trading agents are exposed to both clean and adversarial news retrieval pools, and the simulation environment supports toggling of an additional temporal grounding mechanism: at each step, agents retrieve windowed time-series evidence (e.g., trend, volatility, drawdown metrics) to cross-check textual signals against recent market realities.
Key metrics:
- Misinformation Exposure Rate (MER): Proportion of retrieved documents that are adversarially perturbed.
- Attack Success Rate (ASR): Fraction of agent decisions that differ from the clean baseline when misinformation is injected.
The experimental testbed centers on real-world Bitcoin transaction data, a representative high-volatility asset.
Empirical Results
Comparative Effectiveness
AutoRedTrader unequivocally surpasses general-purpose baselines in terms of attack efficacy:
| Method |
MER (%) |
ASR (%) |
Final CR (%) |
| Base |
— |
— |
+23.50 |
| LIFE |
73.00 |
15.00 |
+39.86 |
| Pliny |
35.00 |
16.67 |
+52.73 |
| AutoRedTeamer |
43.67 |
21.67 |
+44.18 |
| AutoRedTrader |
69.00 |
26.67 |
+22.27 |
| AutoRedTrader+Ground |
41.66 |
18.33 |
+32.26 |
AutoRedTrader achieves an ASR of 26.67%—a strong result, with most baselines lagging by 5–10 points—despite a slightly lower MER than LIFE, underscoring that surface retrieval is insufficient without attack salience aligned to agent vulnerability. The simulated agent’s cumulative return (CR) is negatively impacted by misinformation, further validating the impact of these subtle interventions.
The inclusion of time-series-informed grounding (structured historical context) reduces both MER and ASR substantially (to 41.66% and 18.33%, respectively), indicating that robust market evidence mitigates susceptibility to misleading textual perturbations.
Ablation Analysis
Ablation studies confirm the necessity of each module:
- Without Filtering: ASR degrades (18.33%) and CR notably rises (+34.61%), showing that only high-quality, hard-to-detect misinformation is effective.
- Without Feedback: ASR and MER both drop, underlining the advantage of adaptively targeting agent-specific weaknesses.
- Exclusion of Bias, Minor, or Rewrite Steps: Each omission results in a material reduction in attack strength, demonstrating that the theoretical decomposition yields complementary gains; for example, excluding Minor drops MER to 58.33%, verifying the retrieval-anchoring property of fine-grained finance-specific edits.
Theoretical and Practical Implications
Theoretical Impact:
The compositional attack formulation, rooted in behavioral finance, reflects a shift from generic adversarial example crafting to highly structured, policy-shaping interventions—probing not only surface-level model behavior but the trajectory of multi-step, memory-driven decision-making in complex agentic systems. The framework’s feedback mechanism operationalizes a sequential, environment-aware adversarial process, raising fundamental questions about the adaptability of agentic LLMs in non-i.i.d. informational environments.
Practical Impact:
The findings decisively demonstrate that retrieval-based financial agents, even those with sophisticated memory and grounding architectures, remain highly vulnerable to low-level misinformation perturbations—threats that current safety and red-teaming protocols do not address. The grounding module’s partial mitigation effect suggests a path toward improved system design: integrating structured numerical evidence as a "reality anchor" beneath textual signals for robust financial reasoning.
Limitations and Future Directions
The study’s scope is confined to simulated environments and English-language news; real-world deployment would require adaptation for multilingual or multimodal misinformation vectors, as well as an evaluation on actual live trading agents. The focus remains on textual attacks—future work should extend the red-teaming paradigm to multimodal sources (e.g., charts, social media, audio transcripts) and coordinated campaigns. Finally, balancing robustness gains with the preservation of agent flexibility and genuine discovery from news remains an open challenge.
Conclusion
AutoRedTrader introduces a rigorous, adaptive, and domain-specific framework for evaluating and stress-testing the adversarial robustness of LLM-based financial agents. Through finance-theory-driven perturbation operators, online feedback loops, and quality filtering, it generates realistic and effective misinformation, exposing meaningful vulnerabilities in retrieval-based agent pipelines. Empirical results on market data confirm that existing financial agents can be decisively manipulated by subtle, hard-to-detect information drift—a risk only partially mitigated by time-series-informed grounding. This work establishes a benchmark and methodological blueprint for future defenses and robustness evaluations in agentic finance AI.