MSCR: Exploring the Vulnerability of LLMs' Mathematical Reasoning Abilities Using Multi-Source Candidate Replacement

TL;DR

MSCR addresses the robustness of LLMs' mathematical reasoning by introducing a scalable adversarial attack that constructs multi-source candidate replacements for single input words. By leveraging embedding-space cosine similarity, WordNet synonyms, and a masked language model, MSCR generates high-quality perturbations and tests whether they alter the model's solution to math problems. Experiments on GSM8K and MATH500 across 12 open-source LLMs and two commercial models show substantial accuracy drops from minimal perturbations, plus longer and more resource-intensive reasoning in attacked outputs. The findings reveal systemic robustness gaps and efficiency bottlenecks in current LLMs, motivating development of defenses and more robust reasoning mechanisms.

Abstract

LLMs demonstrate performance comparable to human abilities in complex tasks such as mathematical reasoning, but their robustness in mathematical reasoning under minor input perturbations still lacks systematic investigation. Existing methods generally suffer from limited scalability, weak semantic preservation, and high costs. Therefore, we propose MSCR, an automated adversarial attack method based on multi-source candidate replacement. By combining three information sources including cosine similarity in the embedding space of LLMs, the WordNet dictionary, and contextual predictions from a masked language model, we generate for each word in the input question a set of semantically similar candidates, which are then filtered and substituted one by one to carry out the attack. We conduct large-scale experiments on LLMs using the GSM8K and MATH500 benchmarks. The results show that even a slight perturbation involving only a single word can significantly reduce the accuracy of all models, with the maximum drop reaching 49.89% on GSM8K and 35.40% on MATH500, while preserving the high semantic consistency of the perturbed questions. Further analysis reveals that perturbations not only lead to incorrect outputs but also substantially increase the average response length, which results in more redundant reasoning paths and higher computational resource consumption. These findings highlight the robustness deficiencies and efficiency bottlenecks of current LLMs in mathematical reasoning tasks.

Figures (6)

• Figure 1: Examples of adversarial samples generated by the MSCR algorithm on the GSM8K benchmark, answered using Meta-Llama-3-70B-Instruct. More examples are presented in Appendix \ref{['app:d']}.
• Figure 2: Performance changes of various LLMs under attacks by the MSCR algorithm.
• Figure 3: Overview of the MSCR attack flow.
• Figure 4: The distribution of the ratio between the response length of LLMs for perturbed questions and the original length. Here, we only present the visualization results for DeepSeek-R1-Distill-Qwen-32B and gemma-3-27b-it; visualizations for additional models can be found in the Appendix \ref{['app:b']}.
• Figure 5: Other LLMs on the GSM8K benchmark showing the distribution of the ratio between response length for perturbed questions and the original response length.