Table of Contents
Fetching ...

FinVault: Benchmarking Financial Agent Safety in Execution-Grounded Environments

Zhi Yang, Runguo Li, Qiqi Qiang, Jiashun Wang, Fangqi Lou, Mengping Li, Dongpo Cheng, Rui Xu, Heng Lian, Shuo Zhang, Xiaolong Liang, Xiaoming Huang, Zheng Wei, Zhaowei Liu, Xin Guo, Huacan Wang, Ronghao Chen, Liwen Zhang

TL;DR

FinVault introduces an execution-grounded benchmark for financial AI agents, bridging the gap between model-level safety and real-world operational risk. It builds 31 regulatory scenarios with state-writable databases and 107 vulnerabilities, yielding 963 test cases (856 attacks, 107 benign) across 8 attack techniques. Experiments across 10 LLMs show high vulnerability, with average attack success rates up to 50% and even the strongest models reaching about 6.7%, highlighting semantic attacks as the dominant threat. Current defense approaches trade off detection rate and false positives and fail to generalize to financial contexts. FinVault thus provides a platform and open-source code to drive development of stronger, finance-specific safety defenses.

Abstract

Financial agents powered by large language models (LLMs) are increasingly deployed for investment analysis, risk assessment, and automated decision-making, where their abilities to plan, invoke tools, and manipulate mutable state introduce new security risks in high-stakes and highly regulated financial environments. However, existing safety evaluations largely focus on language-model-level content compliance or abstract agent settings, failing to capture execution-grounded risks arising from real operational workflows and state-changing actions. To bridge this gap, we propose FinVault, the first execution-grounded security benchmark for financial agents, comprising 31 regulatory case-driven sandbox scenarios with state-writable databases and explicit compliance constraints, together with 107 real-world vulnerabilities and 963 test cases that systematically cover prompt injection, jailbreaking, financially adapted attacks, as well as benign inputs for false-positive evaluation. Experimental results reveal that existing defense mechanisms remain ineffective in realistic financial agent settings, with average attack success rates (ASR) still reaching up to 50.0\% on state-of-the-art models and remaining non-negligible even for the most robust systems (ASR 6.7\%), highlighting the limited transferability of current safety designs and the need for stronger financial-specific defenses. Our code can be found at https://github.com/aifinlab/FinVault.

FinVault: Benchmarking Financial Agent Safety in Execution-Grounded Environments

TL;DR

FinVault introduces an execution-grounded benchmark for financial AI agents, bridging the gap between model-level safety and real-world operational risk. It builds 31 regulatory scenarios with state-writable databases and 107 vulnerabilities, yielding 963 test cases (856 attacks, 107 benign) across 8 attack techniques. Experiments across 10 LLMs show high vulnerability, with average attack success rates up to 50% and even the strongest models reaching about 6.7%, highlighting semantic attacks as the dominant threat. Current defense approaches trade off detection rate and false positives and fail to generalize to financial contexts. FinVault thus provides a platform and open-source code to drive development of stronger, finance-specific safety defenses.

Abstract

Financial agents powered by large language models (LLMs) are increasingly deployed for investment analysis, risk assessment, and automated decision-making, where their abilities to plan, invoke tools, and manipulate mutable state introduce new security risks in high-stakes and highly regulated financial environments. However, existing safety evaluations largely focus on language-model-level content compliance or abstract agent settings, failing to capture execution-grounded risks arising from real operational workflows and state-changing actions. To bridge this gap, we propose FinVault, the first execution-grounded security benchmark for financial agents, comprising 31 regulatory case-driven sandbox scenarios with state-writable databases and explicit compliance constraints, together with 107 real-world vulnerabilities and 963 test cases that systematically cover prompt injection, jailbreaking, financially adapted attacks, as well as benign inputs for false-positive evaluation. Experimental results reveal that existing defense mechanisms remain ineffective in realistic financial agent settings, with average attack success rates (ASR) still reaching up to 50.0\% on state-of-the-art models and remaining non-negligible even for the most robust systems (ASR 6.7\%), highlighting the limited transferability of current safety designs and the need for stronger financial-specific defenses. Our code can be found at https://github.com/aifinlab/FinVault.
Paper Structure (47 sections, 5 equations, 3 figures, 11 tables)

This paper contains 47 sections, 5 equations, 3 figures, 11 tables.

Figures (3)

  • Figure 1: Comparison between FinVault and existing paradigms: (a) Previous financial LLM evaluations: primarily focus on the model level, overlooking systemic execution risks arising from agent behavior. (b) General agent evaluations: confined to simulated environments with abstract interfaces and lacking persistent state changes. (c) FinVault : establishes the first execution-grounded financial security benchmark, featuring executable environments with state-writable databases to ensure verifiable consequences.
  • Figure 2: Overview of FinVault. The left panel illustrates the benchmark data construction, while the right panel depicts agent attack and defense interactions within a sandboxed execution environment.
  • Figure 3: Comparison of Average Attack Success Rate (ASR) and Vulnerability Compromise Rate (Vuln.Rate) across different LLMs. Models are sorted by Average ASR in descending order.

Theorems & Definitions (5)

  • Definition 1: Financial Agent Environment
  • Definition 2: Attack Success
  • Definition 3: Attack Success Rate
  • Definition 4: Defense Detector
  • Definition 5: Detection Performance Metrics