Skip to content
Case studies6 min read

Everbright Securities: Runaway Orders and Insider Hedge

Everbright Securities: 23.4bn yuan in erroneous orders, then an insider hedge. How approval gates and segregation of duties address each failure.

The Everbright Securities trading incident of August 2013 produced two distinct governance failures: a runaway algorithmic order stream with no notional ceiling, and a self-approved hedge executed on undisclosed information before the error was made public.

On 16 August 2013 a fault in the trading system at China Everbright Securities generated around 23.4 billion yuan of erroneous buy orders, of which roughly 7.27 billion yuan were filled. The wave of unintended buying pushed the Shanghai Composite Index up about 6 percent in minutes before the firm halted the flow (China Daily).

What followed turned a technology failure into a regulatory case. Before the error was disclosed to the market, Everbright moved to hedge the unwanted long position by shorting index futures and selling exchange-traded funds. It was trading on information the rest of the market did not yet have.

The China Securities Regulatory Commission found that the firm had committed insider trading and imposed a penalty of about 523 million yuan, along with lifetime market bans on the executives involved (CNN Money, South China Morning Post).

What actually failed: the governance gap

There were two separate failures, and they need separate controls.

The first was the runaway order stream. A software fault produced an order volume far beyond any plausible intended size, and nothing in the execution path refused it on principle or paused it for a human before it reached the market. The orders went out, filled, and moved a national index. An irreversible action stream ran with no ceiling and no checkpoint.

The second failure was the cover trade. Once the firm held an accidental position built on information the market had not seen, the same operation that caused the problem was able to execute large hedging trades on that undisclosed information without any independent check. There was no structural separation between the desk that created the exposure and the decision to act on it before disclosure. That is what the regulator treated as insider trading.

These are different problems. The first is about scale and irreversibility. The second is about who is allowed to authorise a consequential trade that carries a conflict. One control does not solve both.

How MakerChecker changes the outcome

MakerChecker governs the actions an automated actor is permitted to take, not the quality of the code behind them. The two failures map onto two distinct control shapes.

For the runaway orders, model order submission as a role-scoped skill granted deny-by-default with a notional cap. Routine arbitrage flow runs on the granted path. An order stream that exceeds the role's approved tier is refused before it reaches the market, and any flow over a defined threshold is held at an approval gate for named human sign-off rather than executing automatically:

role: arbitrage-desk
grants:
  - skill: order.submit
    risk_tier: high
    cap_notional: 500_000_000   # over-cap volume is refused outright
gate:
  threshold_notional: 100_000_000
  approvals_required: 2          # n-of-m named humans

For the cover trade, the relevant control is segregation of duties. Model the large hedge as its own high-risk skill that routes to an approval gate with forbid_requester set. The desk that holds the accidental position can propose a hedge, but it cannot approve its own hedge. An independent party has to sign before the trade runs, which forces the undisclosed-information conflict into the open at the point of decision:

skill: hedge.submit
risk_tier: high
gate:
  approvals_required: 1
  forbid_requester: true         # the proposing desk cannot self-approve

The code scenario for this entry is exactly that split. Arbitrage flow over the role cap is denied, and the same-desk hedge is blocked by forbid_requester and held until an independent approver signs. Every denial, gate request, and signature is written to the tamper-evident, Ed25519-signed, hash-chained audit, which can be verified offline. After the fact, an investigator can see that the desk proposed a large hedge on a position built minutes earlier and that the action waited for an independent sign-off, rather than reconstructing intent from trade logs.

What MakerChecker would not fix

MakerChecker would not have fixed the software defect that generated the erroneous orders in the first place. It is not a trading risk engine and does not validate the logic of an arbitrage system or check that an order matches intent. The fault that produced 23.4 billion yuan of orders is an engineering problem, and MakerChecker does not repair faulty code.

It also does not decide whether trading on the undisclosed error was lawful. That judgement stays with the humans in the approval path. An approval gate forces a named, independent party to authorise the hedge and creates a signed record of who decided what and when. If that approver chooses to sign off on a trade that should not happen, the harm can still occur. What changes is that the decision is no longer made unilaterally by the conflicted desk, and the evidence of who authorised it exists. The control supplies separation and a record, not a verdict on whether the trade was right.

See the configuration: examples/rogue-ai/everbright-securities-runaway-orders-and-insider-hedge

Frequently asked

What happened in the Everbright Securities trading incident?
On 16 August 2013 a software fault in Everbright Securities generated around 23.4 billion yuan of erroneous buy orders, of which roughly 7.27 billion yuan were filled, pushing the Shanghai Composite Index up about 6 percent in minutes. Before disclosing the error, the firm shorted index futures and sold ETFs to hedge the accidental position, trading on information the market did not yet have. China's securities regulator fined the firm approximately 523 million yuan and imposed lifetime market bans on the executives involved.
What governance controls would have prevented the Everbright Securities incident?
Two separate controls address the two separate failures. A notional cap with an approval gate on the order submission role would have refused or paused the runaway order stream before it reached the market. A segregation-of-duties rule with forbid_requester on the hedge skill would have prevented the conflicted desk from self-approving the cover trade and forced an independent sign-off before execution.
Why is Everbright Securities relevant to AI agent governance?
The same control gaps that allowed a 2013 trading system to send unchecked orders and execute a self-approved cover trade apply directly to autonomous AI agents. Agents that can submit high-volume actions without a notional ceiling, or approve their own consequential decisions, carry the same structural risk. Role-scoped skills, approval gates, and segregation of duties are the controls that close both gaps.

Where this goes to work

How MakerChecker works — the six primitives

Agents as employees, versioned grants, structural segregation of duties, approval gates, role limits, and a signed audit a regulator verifies offline.

Explore →Book a demo

Related reading

See it for yourself

See an agent get stopped.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Book a demoRead the docs

Designed against the rules your auditors already enforce.