Skip to content
AID-2013-0001August 16, 2013critical

Everbright Securities Arbitrage System Runaway Orders with Undisclosed Insider Hedge Cover Trade

Everbright Securities' arbitrage system generated 23.4 billion yuan in erroneous buy orders with no enforcement ceiling, and the desk then executed a massive insider hedge before disclosing the error to the market.

Runaway executionFail-closed limitsDeny-by-defaultHigh-risk approval gate

What happened

On August 16, 2013, a fault in China Everbright Securities' arbitrage system generated approximately 23.4 billion yuan in erroneous buy orders, of which roughly 7.27 billion yuan filled, spiking the Shanghai Composite by about 6 percent. The arbitrage system had no notional ceiling to prevent runaway orders, allowing the stream to execute on the agent's sole authority. Before disclosing the error to the market, Everbright's hedging desk executed large short positions in ETFs and index futures on the basis of this material non-public information, with no independent approval gate between the decision and execution. The CSRC subsequently fined the firm 523 million yuan for insider trading and imposed lifetime market bans on the individuals involved.

What the agent did

The arbitrage agent placed live buy orders whose aggregate notional ran to 23.4 billion yuan, orders of magnitude beyond intent, with no enforcement ceiling and no approval gate. Subsequently, the hedging agent executed large hedging trades (short positions in ETFs and index futures) on non-public information without independent authorization.

The irreversible effect

Approximately 7.27 billion yuan of erroneous buy orders filled, causing a 6% spike in the Shanghai Composite; the insider hedge locked in positions and trading gains based on undisclosed information; the firm incurred a 523 million yuan regulatory fine; and individuals received lifetime bans from the market.

Root cause

The arbitrage system lacked per-invocation limits and any enforcement ceiling on order submission, allowing unbounded execution on the agent's authority alone. The hedging system lacked an independent approval gate for high-risk trades executed on material non-public information, permitting the cover trade to proceed without segregation of duties or external authorization.

How a maker-checker control would have refused it

MakerChecker would refuse the 23.4 billion yuan order submission with "limit_violation" (exceeds the per-invocation maxAmountPerInvocation limit of 1 billion yuan on the capped submission skill). Any attempt to bypass via an uncapped skill would be refused with "skill_not_granted" (the uncapped release skill is not granted to the arbitrage role). The subsequent hedge submission would be refused with "high_risk_requires_gate" (the hedge-submit skill is published as high-risk and cannot run through the proxy; it must execute inside a governed flow with a preceding independent approval gate).

Runnable reproduction

This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.

examples/everbright-securities-runaway-orders-and-insider-hedge

View the reproduction on GitHub →

Accuracy and corrections

This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.