Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors

📝 Paper Summary

AI Safety for Agents Agentic Crypto Trading Execution Control

Survivability-Aware Execution (SAE) is a middleware layer that enforces non-bypassable safety constraints and exposure budgets on agentic trading systems to prevent execution-induced losses from untrusted intents or compromised skills.

Core Problem

In agentic trading, LLM 'wrong answers' or compromised third-party skills translate directly into irreversible financial losses (execution-induced loss), yet most systems lack explicit execution-layer safety boundaries.

Why it matters:

Real-world side effects are monetized in finance; a single hallucinated or injected command can liquidate an account
The rise of skill marketplaces (e.g., skills.sh) creates a capability supply chain where malware or malicious instructions can be imported directly into privileged agents
Existing OMS (Order Management Systems) focus on static compliance, lacking the context-aware, trust-conditioned tightening needed for non-deterministic AI agents

Concrete Example: A trading agent using an imported skill might be tricked by a prompt injection to request 50x leverage on a volatile asset. Without SAE, this executes and likely leads to liquidation. With SAE, the request is intercepted and projected (clamped) to a safe limit (e.g., 2x) defined in the Intended Policy Spec.

Key Novelty

Survivability-Aware Execution (SAE) Middleware

Treats all upstream agent outputs (from LLMs or skills) as 'untrusted intent' rather than executable commands
Interposes a strict execution contract between the strategy and the exchange that enforces hard budgets (Projection-based Exposure Budgeting) and allows/denies actions based on a measurable 'Delegation Gap'
Dynamically tightens constraints based on a 'trust state' (provenance of skills, injection alerts) and market regimes

Evaluation Highlights

Reduces Maximum Drawdown (MDD) by 93.1% (from 46.43% to 3.19%) in a Binance USD-M replay relative to a NoSAE baseline
Shrinks tail-risk magnitude (CVaR 0.99) by ~97.5%, effectively neutralizing catastrophic execution failures during stress periods
Reduces Delegation Gap (DG) loss proxy from 0.647 to 0.019 (~97% reduction) while maintaining zero False Block rate in the reported run

Breakthrough Assessment

8/10

Addresses a critical, under-explored safety gap in autonomous agents (execution vs. intent). The shift from 'safety as alignment' to 'safety as execution boundaries' is highly relevant for production deployment.

⚙️ Technical Details

Problem Definition

Setting: Agentic execution under capability supply-chain risk

Inputs: Untrusted intent (action type, symbol, requested params) from Strategy Engine, Market State, Account State

Outputs: ExecutionDecision (ALLOW, LIMIT, BLOCK) and executed action a_t

Pipeline Flow

Strategy Engine (LLM/Algo) -> ExecutionRequest
SAE Middleware (Validation -> Budget Projection -> Trust Gating)
Exchange Executor -> Order Submission

System Modules

Strategy Engine

Generates trading intent based on market data

Model or implementation: Strategy-agnostic (LLM or heuristic)

SAE Middleware

Intercepts request, validates against Intended Policy Spec, applies projection-based budgeting

Model or implementation: Algorithmic Policy Gate (Code-level policies)

Exchange Executor

Submits final approved/modified orders to the exchange

Model or implementation: API Client

Novel Architectural Elements

Explicit decoupling of 'Intent' (Strategy output) and 'Action' (Exchange input) via a parameterized middleware layer
Integration of 'Trust State' (z_t) into execution budgets, allowing dynamic tightening of limits for unverified third-party skills

Modeling

Base Model: Strategy-agnostic (SAE is a middleware contract, not a specific LLM)

Comparison to Prior Work

vs. Traditional OMS: SAE adds 'Trust State' context and 'Intended Policy Spec' to handle non-deterministic agent behavior and supply chain risks, whereas OMS assumes trusted inputs
vs. Constrained Trade Execution: SAE specifically targets the 'Delegation Gap' in agentic systems where language intent must be translated to privileged action [not cited in paper]

Limitations

Relies on the quality of the 'Intended Policy Spec'—if the spec is too loose, SAE cannot prevent loss
Latency overhead introduced by the middleware layer (though typically minimal for 15m candle strategies)
Optimization is non-convex and non-differentiable, requiring black-box search which may not find global optima

Reproducibility

Implemented in released code (URL not explicitly in snippet). Evaluated on reproducible offline replay using official Binance USD-M BTCUSDT/ETHUSDT perpetual data (15m candles; 2025-09-01–2025-12-01). Metrics like Delegation Gap are formally defined to be reproducible.

📊 Experiments & Results

Evaluation Setup

Offline replay of crypto perpetual trading with attack instrumentation

Benchmarks:

Binance USD-M Replay (Crypto Perpetual Trading (BTCUSDT, ETHUSDT)) [New]

Metrics:

Maximum Drawdown (MDD)
CVaR 0.99 (Tail Loss)
Delegation Gap (DG) Loss
Attack Success (AS)
False Block (FB)
Statistical methodology: Dependence-aware tests (block bootstrap, paired Wilcoxon, two-proportion test)

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
Binance USD-M Replay	Maximum Drawdown (MDD)	0.4643	0.0319	-0.4324
Binance USD-M Replay	CVaR 0.99 (Tail Loss)	0.004025	0.000102	-0.003923
Binance USD-M Replay	Delegation Gap (DG) Loss Proxy	0.647	0.019	-0.628
Binance USD-M Replay	Attack Success (AS)	1.00	0.728	-0.272

Main Takeaways

SAE effectively converts 'wrong answers' (or attacks) from catastrophic failures into bounded, manageable errors via projection and clamping.
The approach is statistically robust, significantly reducing tail risks (CVaR) without requiring changes to the upstream strategy model.
By operationalizing the Delegation Gap, the system makes the safety of third-party skills empirically testable.

📚 Prerequisite Knowledge

Prerequisites

Understanding of agentic tool-use patterns (OpenClaw style)
Financial risk metrics (Drawdown, CVaR)
Crypto perpetual trading mechanics (funding fees, margin)

Key Terms

OpenClaw: An agent stack architecture that separates tool sandboxing from host execution and defines explicit tool policies

SAE: Survivability-Aware Execution—the proposed middleware standard that intercepts and sanitizes agent actions before they reach the exchange

Delegation Gap (DG): The expected loss introduced by actions that are executable but outside the operator's Intended Policy Spec (e.g., due to attacks or bugs)

CVaR: Conditional Value at Risk (Expected Shortfall)—a risk metric quantifying the average loss in the worst-case tail of the distribution

skills.sh: A marketplace and ecosystem for installable AI agent capabilities/skills, representing a supply-chain risk vector

Intended Policy Spec: A structured specification defining authorized tools, hard exposure caps, and state-triggered tightening rules

USD-M: USD-Margined futures contracts (standard in crypto trading)

Projection-based Budgeting: A mathematical operation that maps a requested unsafe action vector (high leverage) to the nearest safe action vector within the feasible region