🧨 TradeTrap: Are LLM-based Trading Agents Truly Reliable and Faithful?

English 中文

---

TradeTrap is a community-driven and developer-friendly tool for testing LLM-based trading Agents' reliability. A slight perturbation to the input instructions for LLM-based agents can upend an entire investment scheme！Therefore, our mission is to build the reliable financial agent community. Welcome to share feedback and issues you encounter, and invite more developers to contribute 🚀🚀🚀

Multi-Model Breakdown Under Identical Exploits

Overall Potential Vulnerability in Financial Trading Agents

• Market Intelligence
  • Data fabrication (indirect prompt injection) → panic sell-offs and irrational buying cascades.
  • MCP tool hijacking → polluted responses steer the planner straight off a cliff.
• Strategy Formulation
  • Direct prompt injection → catastrophic pivots like forced liquidation and margin wipeouts.
  • Model backdoor → hidden triggers siphon assets on demand.
  • Malicious collusion → compromised sub-agents twist shared decision loops.
• Portfolio & Ledger
  • Memory poisoning → strategy drift causes the model to learn incorrect experiences.
  • State tampering → cognitive confusion regarding one's own positions/order status.
• Trading Execution
  • Latency flooding / DoS → missed exits, frozen hedges, unstoppable drawdowns.
  • Tool misuse → execution of unintended orders, violation of risk/compliance rules.

---

⚠️ What can you do with TradeTrap?

Currently, we provides a set of plug-and-play attack modules designed to integrate directly with the AI-Trader platform. Once connected, these plugins can actively interfere with a running LLM trading agent, allowing you to test its resilience in real-time through two primary attack vectors:

• Prompt Injection
  • Reverse Expectation: Invert the agent's interpretation of market signals, causing it to make bullish moves in bearish conditions and vice versa.
  • Reverse Actions: Tamper with the historical or simulated outcome data the agent receives, leading to flawed strategy adjustments based on a fabricated past.
• MCP Tool Hijacking
  • Seize control of the agent's external data sources—such as price feeds, news APIs, or social sentiment tools—and replace real-world data with manipulated streams to steer its decisions off-course.

For example:

🟨 yellow：baseline runs without external signals.
🔵 blue：news-enhanced runs wire into X/Twitter and Reddit feeds.
🔴 red：poisoned agents tasked with the same capital.

All start with USD 5,000 - watch how the battlefield splits.

DeepSeek-v3 The baseline shows steady growth, while the attacked version declines almost monotonically.	Claude-4.5-Sonnet The attacked version surged ahead initially, only to wipe out all gains in a sudden crash at the end.
Qwen3-Max The baseline remains flat, while the reverse-expectation attack triggers a steep profit surge.	Gemini 2.5 Flash From the opening bell, the attacked curve diverges from baseline and the gap widens persistently.
GPT-5 The baseline rises steadily without clear cause, while the perturbed run behaves like a random walk.

---

Experiments were specifically conducted on two types of attacks: "reverse expectation injection" and "fake news shockwave" with significant results, with the detailed walkthrough below focused on the deepseek-v3 model.

Reverse Expectations Injection

The poisoned reasoning trace pushes the planner to fight its own positions.

The poisoned prompt keeps doubling down on losing positions and cashing out early, so every rally stalls into a crash.

---

Fake News Shockwave

Fabricated headlines drive the toolchain into a wave of panic adjustments.

The staged “good news” inflates expectations, the agent commits heavily, and the book collapses on impact.

---

Latest Update

• [Update on 19/11/2025] AI-Trader Long-term Memory — Added historical trading memory to AI-Trader prompts. Agents now review past positions, prices, and wins/losses before making decisions, improving consistency and testing for memory-related vulnerabilities. See AI-Trader/README.md for visuals and configuration details.
• [Update on 18/11/2025] Valuecell Agent Option — Introduced the Valuecell standalone auto-trading agent alongside AI-Trader. Users can now choose either pipeline directly from the project root (README explains how to run both flows).
• [Update on 14/11/2025] State Tampering Attack — Manipulates trading agents by tampering with their position state perception. Full documentation: plugins/README.md · 中文版.

---

Payload Roadmap Checklist

Infrastructure

• Integrated trading-agent platform combining core capabilities from mainstream stacks
• Simple attack interfaces for rapid experimentation
• Lightweight plugin system for extending payloads
• Adaptable to more trading platforms (e.g., NoFX, ValueCell)

Attack capabilities (delivered and planned)

• Direct prompt injection — force catastrophic strategy pivots

• MCP tool hijacking — let polluted data drive wrong decisions

• Memory poisoning — corrupt learned experiences to force strategy drift

• State tampering — induce cognitive confusion to desync from real positions

• Data forgery (indirect prompt injection) — spark panic selling and irrational buying

• Model backdoors — hidden triggers to drain assets on demand

• Malicious collusion — compromised sub-agents twisting collective choices

• Latency / DoS shocks — block exits, freeze hedges, let losses run

• Tool misuse — execute rogue orders to breach risk and compliance hard limits

---

🎭 What’s New Inside This Repo

MCP hijacking layout

├── agent_tools
│   ├── start_mcp_services.py
│   ├── tool_alphavantage_news.py
│   ├── tool_get_price_local.py
│   ├── tool_jina_search.py
│   ├── tool_math.py
│   ├── tool_trade.py
│   └── fake_agent_tools
│       ├── start_fake_mcp_services.py
│       └── ...

Prompt-injection layout

├── agent
│   ├── base_agent
│   │   ├── base_agent_hour.py
│   │   └── base_agent.py
│   ├── base_agent_astock
│   │   └── base_agent_astock.py
│   └── plugins
│       ├── prompt_injection_agent_hour.py   # hourly injections
│       ├── prompt_injection_agent.py        # daily injections
│       └── prompt_injection_manager.py      # rule matching
├── prompts
│   └── prompt_injections.json               # injection payloads

---

🔧 Operational Steps Example

1. Setup Environment

# Clone the repository
git clone https://github.com/TradeTrap/Safe-TradingAgent.git
cd Safe-TradingAgent

# Install dependencies (unified requirements.txt in root directory)
pip install -r requirements.txt

# Configure environment variables
cp .env.example .env
# Edit .env and fill in your API keys (OPENAI_API_KEY, TUSHARE_TOKEN, etc.)

2. Choose Your Target: AI-Trader or Valuecell

TradeTrap supports testing two different trading agent implementations. Choose one based on your testing needs:

Option A: Run AI-Trader

AI-Trader is the original trading agent with MCP (Model Context Protocol) integration.

# 1. Launch the official MCP services (required for AI-Trader)
cd AI-Trader/agent_tools
python start_mcp_services.py &
cd ../..

# 2. Run AI-Trader with a configuration file
python main.py configs/default_config.json
# Or use other AI-Trader configs:
# python main.py configs/default_astock_config.json  # A-shares market
# python main.py configs/default_crypto_config.json # Cryptocurrency market

Available AI-Trader agent types:

• BaseAgent - Standard trading agent
• BaseAgent_Hour - Hourly trading agent
• BaseAgentAStock - A-shares market agent
• BaseAgentCrypto - Cryptocurrency agent
• PromptInjectionAgent - For prompt injection testing
• PositionAttackAgent_Hour - For position attack testing

Option B: Run Valuecell

Valuecell is a standalone auto-trading agent with built-in technical analysis and portfolio management.

# Valuecell doesn't require MCP services, run directly:
python main.py configs/valuecell_config.json
# Or use other valuecell configs:
# python main.py configs/default_auto_trading_standalone_config.json  # Crypto
# python main.py configs/default_auto_trading_stock_config.json        # Stock

Valuecell agent type:

• Valuecell - Unified agent supporting both stock and crypto markets

3. Run Attack Scenarios

TradeTrap supports various attack scenarios to test agent reliability:

• MCP Hijacking: Test how agents respond to manipulated external data

  • See: AI-Trader/agent_tools/fake_tool/README.md

• State Tampering Attack: Test how agents handle tampered position state information

  • Uses file hooks via LD_PRELOAD to intercept and modify position data read by agents at runtime
  • Causes agents to make trading decisions based on incorrect state perception while the actual ledger remains unchanged
  • See: plugins/README.md for detailed usage instructions

• Plugins Attack Module: The AI-Trader/agent/plugins/ directory contains multiple attack plugins that can be used to test agent vulnerabilities:

  • Prompt Injection: Test how agents handle adversarial prompts injected into the decision-making process
  • Position Attack: Test how agents handle tampered position records that modify trading history
  • See: AI-Trader/agent/plugins/README.md for detailed usage instructions

---

🙏 Acknowledgements

• AI-Trader - Autonomous trading agent system
• valuecell - Autonomous trading agent system
• LangChain - AI application development framework
• MCP - Model Context Protocol
• Alpha Vantage - Financial data API
• Jina AI - Information search service

👥 Administrator

⚖️ Usage Guidelines

This project exists to surface the risks hidden inside today’s trading agents.
Always run experiments in controlled environments; do not deploy or weaponise them in live markets.
Every reproduced case feeds back into discussions and improvements around defensive measures.

---

📄 License

Apache 2.0 © TradeTrap team — because even disruptive research should stay open-source.

---

🧨 TradeTrap: Are LLM-based Trading Agents Truly Reliable and Faithful?