Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors

This paper proposes Survivability-Aware Execution (SAE), a middleware framework for OpenClaw-style agentic crypto trading systems that enforces non-bypassable invariants like exposure budgets and order-rate limits to mitigate execution-induced losses from untrusted prompts or compromised skills, demonstrating significant reductions in maximum drawdown and risk metrics through offline replay testing.

The Gist

Imagine you've built a brilliant, super-smart robot chef (an AI Agent) that can cook any dish you want. You tell it, "Make me a spicy pasta," and it goes to work.

In the old days, the biggest risk was that the robot might misunderstand you and serve you a bowl of sand instead of pasta. But in the new world of Agentic Crypto Trading, the robot doesn't just talk; it has a direct line to your bank account and can execute trades instantly.

The problem? The robot is no longer just a chef; it's a driver with the keys to your car, and it's taking orders from strangers on the internet.

Here is the paper explained in simple terms, using a few creative analogies.

1. The New Danger: "The Open Door"

Imagine your robot chef has a "Skill Marketplace" (like an app store). You can download new skills: "Make Spicy Pasta," "Order Pizza," or "Invest in Crypto."

• The Risk: A hacker creates a fake skill called "Make Spicy Pasta" that actually says, "Sell all your assets and buy a meme coin with 100x leverage."
• The Old Way: We used to hope the robot was smart enough to know that's a bad idea.
• The New Reality: The robot is following instructions. If the instruction says "Go," the robot goes. In crypto, "Go" can mean losing your entire life savings in seconds.

The paper calls this the "Execution Attack Surface." The danger isn't that the AI gives a wrong answer; it's that the AI does the wrong thing because it was tricked into thinking it was allowed to.

2. The Solution: "The Bouncer at the Club" (SAE)

The authors propose a system called SAE (Survivability-Aware Execution).

Think of SAE as a super-strict bouncer standing between your robot chef and the nightclub (the Crypto Exchange).

• The Robot (Strategy): Yells, "I want to buy 500 pizzas!" (High leverage, huge risk).
• The Bouncer (SAE): Checks the ID.
  • "Who told you to do this?" (Is the skill trusted?)
  • "Is the club on fire?" (Is the market volatile?)
  • "Do you have enough money in your wallet?" (Is the risk budget okay?)
• The Decision: The bouncer doesn't just say "No." He says, "Okay, you can buy one pizza, but only if you wait 2 minutes, and you can't spend more than $5."

SAE doesn't try to be smarter than the robot. It just enforces the rules right before the action happens. It treats every instruction as if it came from a stranger until proven otherwise.

3. How It Works (The Three Layers)

The paper describes SAE as having three layers of protection, like a castle:

1. The Moat (Static Rules): "No one can buy more than 3 pizzas at once." (Standard risk limits).
2. The Guard Dog (Trust & Context): "If the person asking is a stranger, or if it's raining outside (market crash), we lower the limit to 1 pizza." The bouncer gets stricter if the situation looks dangerous.
3. The Gatekeeper (The "Delegation Gap"): This is the paper's clever math part. It measures the difference between what you intended to do and what the robot actually tried to do. If the robot tries to do something outside your "Intended Policy" (like using a tool you didn't install), the bouncer blocks it immediately.

4. The Results: "The Safety Net"

The authors tested this system using a simulation of real crypto trading data (Bitcoin and Ethereum) over three months.

• Without the Bouncer (NoSAE): The robot got tricked or made a mistake, and the "drawdown" (loss of money) was huge—about 46% of the portfolio vanished. It was like the robot drove the car off a cliff.
• With the Bouncer (SAE): The robot still tried to drive off the cliff, but the bouncer slammed on the brakes. The loss dropped to just 3%.
• The "Attack Success" Rate: When they tried to hack the system with fake instructions, the bouncer stopped 72% of the attacks. Without the bouncer, 100% of the attacks succeeded.

5. Why This Matters

The paper argues that in the age of AI agents, safety isn't about making the AI smarter; it's about building a better cage.

• Old Safety: "Please don't eat the poison." (Relying on the AI's judgment).
• New Safety (SAE): "Here is a lock on the poison cabinet. Even if the AI begs to open it, the lock won't turn unless the conditions are safe."

The Big Takeaway

In the future, AI agents will be able to spend your money, move your files, and control your devices. We can't trust them to be perfect. Instead, we need to build execution layers—like a bouncer, a seatbelt, or a governor on a car engine—that automatically stop the AI from doing anything catastrophic, no matter what it is told to do.

SAE is that seatbelt for the crypto world. It ensures that even if the AI has a bad day or gets hacked, you don't lose everything.

Technical Summary

Here is a detailed technical summary of the paper "Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors."

1. Problem Statement

The paper addresses a critical shift in AI safety: as Large Language Model (LLM) agents move from generating text to executing real-world actions (specifically in crypto trading), the primary failure mode shifts from "hallucinated answers" to execution-induced loss.

• The New Attack Surface: In "OpenClaw-style" agent stacks, agents use tools and skills (via marketplaces like skills.sh) to interact with external systems. This creates a supply chain risk where untrusted prompts, compromised third-party skills, or narrative manipulation can translate into privileged, irreversible financial actions.
• The Vulnerability: Current agent architectures often lack a "last-mile" safety layer. Strategy engines (LLMs) output intents directly to executors without intermediate validation. In crypto perpetual markets, minor execution errors (e.g., excessive leverage, high slippage, or rapid order flooding) are structurally amplified by margin mechanics and funding rates, leading to catastrophic liquidation.
• The Gap: Existing risk management (like static Order Management System limits) assumes upstream intent is trusted. They fail to account for the "Delegation Gap"—the difference between what an operator intends and what a compromised or misconfigured agent actually executes.

2. Methodology: Survivability-Aware Execution (SAE)

The authors propose SAE, a middleware layer deployed between the strategy engine (LLM or non-LLM) and the exchange executor. SAE treats all upstream outputs as untrusted intent and enforces non-bypassable invariants before any action reaches the exchange.

Core Components

1. Execution Contract (API):

   • ExecutionRequest: The raw intent from the strategy (symbol, leverage, notional, slippage).
   • ExecutionContext: Real-time state including account metrics (equity, margin), market state (volatility, funding), and a Trust State ($z_t$) derived from skill provenance and injection alerts.
   • ExecutionDecision: A deterministic output: ALLOW, LIMIT, or BLOCK, accompanied by enforced constraints.

2. Intended Policy Spec & Delegation Gap (DG):

   • Intent is formalized not as natural language, but as a structured spec $S_t = (T_t, R_t, M_t, U_t)$ covering allowed tools, risk budgets, market-state constraints, and user constraints.
   • Delegation Gap (DG): Defined as the expected loss from actions that are executable but outside the intended scope. SAE operationalizes this by logging out-of-scope attempts and calculating a loss proxy.

3. Enforcement Mechanisms:

   • Projection-Based Enforcement: Instead of simple rejection, SAE projects requested actions into a feasible budget region $F(B_t)$. For example, if an agent requests 5x leverage but the budget allows 1x, the action is clamped to 1x rather than blocked entirely.
   • Trust-Conditioned Tightening: Budgets are dynamically scaled down based on the Trust State ($z_t$). If a skill has low provenance or an injection alert is active, exposure limits are tightened automatically.
   • Temporal Invariants: Cooldowns and order-rate limits prevent high-frequency abuse or "churn" attacks.
   • Slippage Bounds & Staging: Prevents execution at pathological prices by enforcing slippage caps and slicing large orders.

4. Optimization Protocol:

   • The authors use a black-box constrained search to tune SAE hyperparameters (budgets, cooldowns, thresholds).
   • Objective: Minimize tail risk (CVaR) and Delegation Gap loss.
   • Constraints: Maximize survivability while keeping False Blocks (blocking legitimate trades) $\le 20\%$ and Attack Success (successful bypass) $\le 80\%$.

3. Key Contributions

1. Formal Definition of the Delegation Gap (DG): A metric to quantify the loss introduced by actions outside the intended policy scope, enabling reproducible measurement of agent safety.
2. SAE Execution Contract: A standardized, strategy-agnostic middleware interface compatible with OpenClaw-style tool interception and skill ecosystems.
3. Trust-Conditioned Budgeting: A novel mechanism that dynamically adjusts risk exposure based on the provenance of the executing skill and the presence of injection alerts.
4. Reproducible Evaluation Framework: A fully reproducible offline replay system using Binance USD-M perpetual data (BTC/ETH) with injected adversarial attack streams to test robustness.

4. Experimental Results

The system was evaluated on a 3-month Binance USD-M perpetual futures replay (Sept–Dec 2025) involving BTCUSDT and ETHUSDT.

Key Metrics Comparison (SAE "Full" vs. NoSAE):

• Maximum Drawdown (MDD): Reduced from 0.4643 (NoSAE) to 0.0319 (SAE Full), a 93.1% reduction.
• Tail Risk (CVaR 0.99): Reduced magnitude from $4.025 \times 10^{-3}$to$\approx 1.02 \times 10^{-4}$, a ~97.5% reduction.
• Delegation Gap Loss: Reduced from 0.647 to 0.019 (~97% reduction), indicating out-of-scope actions no longer drive losses.
• Attack Success Rate: Reduced from 1.00 to 0.728 (27.2% reduction in successful adversarial bypasses).
• False Blocks: 0.00 in this specific run, demonstrating that safety enforcement did not block legitimate trades.
• Latency: Increased from ~1.3ms to ~10.3ms, a manageable overhead for the safety gains.

Statistical Significance:

• Block bootstrap confidence intervals and paired Wilcoxon tests confirmed that the improvements in returns and risk metrics are statistically significant ($p < 0.05$).
• A two-proportion test confirmed the reduction in AttackSuccess is highly significant ($p = 1.76 \times 10^{-8}$).

5. Significance and Implications

• Paradigm Shift in AI Safety: The paper argues that for agentic systems, safety cannot rely solely on model alignment or prompt engineering. It requires execution-layer contracts that enforce survivability constraints regardless of the upstream intent's quality.
• Supply Chain Security: By treating skill installation as a high-risk supply-chain event, SAE provides a necessary defense against compromised third-party tools, a growing threat in the agent ecosystem.
• Practical Applicability: SAE is designed as a composable middleware that can be deployed in existing trading bots or agent stacks (like OpenClaw) without rewriting the core strategy logic.
• Measurable Robustness: The paper moves agent safety from qualitative claims to quantitative metrics (AttackSuccess, DG Loss, FalseBlock), allowing for rigorous benchmarking of agent safety in financial contexts.

In conclusion, SAE demonstrates that by treating execution as the primary attack surface and enforcing survivability through projection-based budgeting and trust-conditioned tightening, agents can operate in high-risk financial environments with drastically reduced catastrophic failure modes.