Penny Wise, Pixel Foolish: Bypassing Price Constraints in Multimodal Agents via Visual Adversarial Perturbations
For developers of multimodal agents handling financial transactions, this reveals a critical vulnerability where visual perturbations can bypass price constraints, though the attack is white-box and evaluated in a controlled setting.
The paper identifies Visual Dominance Hallucination (VDH) in MLLMs, where visual perturbations override textual price constraints, and proposes PriceBlind, a white-box attack achieving ~80% ASR on E-ShopBench. Transfer attacks achieve 35-41% ASR on GPT-4o, Gemini-1.5-Pro, and Claude-3.5-Sonnet.
The rapid proliferation of Multimodal Large Language Models (MLLMs) has enabled mobile agents to execute high-stakes financial transactions, but their adversarial robustness remains underexplored. We identify Visual Dominance Hallucination (VDH), where imperceptible visual cues can override textual price evidence in screenshot-based, price-constrained settings and lead agents to irrational decisions. We propose PriceBlind, a stealthy white-box adversarial attack framework for controlled screenshot-based evaluation. PriceBlind exploits the modality gap in CLIP-based encoders via a Semantic-Decoupling Loss that aligns the image embedding with low-cost, value-associated anchors while preserving pixel-level fidelity. On E-ShopBench, PriceBlind achieves around 80% ASR in white-box evaluation; under a simplified single-turn coordinate-selection protocol, Ensemble-DI-FGSM transfers with roughly 35-41% ASR across GPT-4o, Gemini-1.5-Pro, and Claude-3.5-Sonnet. We also show that robust encoders and Verify-then-Act defenses reduce ASR substantially, though with some clean-accuracy trade-off.