Table of Contents
Fetching ...

CODE: A Contradiction-Based Deliberation Extension Framework for Overthinking Attacks on Retrieval-Augmented Generation

Xiaolei Zhang, Xiaojun Jia, Liquan Chen, Songze Li

TL;DR

This work addresses the vulnerability of Retrieval-Augmented Generation systems to end-to-end knowledge-base poisoning that triggers overthinking in embedded reasoning models. It introduces CODE, a tri-agent framework comprising Contradiction Architect, Conflict Weaver, and Style Adapter, which constructs cross-layer contradictions and stylistic variations that are highly retrievable and semantically plausible. Extensive experiments across five commercial reasoning models and two numeric-reasoning datasets show a substantial increase in reasoning tokens (5.32x–24.72x) and task-level amplification (up to ~43x) while preserving answer accuracy, revealing a stealthy and scalable vulnerability in practical RAG deployments. The authors also evaluate defenses, outlining limitations of prompt-based constraints and retrieval filtering, and discuss controllable countermeasures to mitigate overthinking risks in production settings.

Abstract

Introducing reasoning models into Retrieval-Augmented Generation (RAG) systems enhances task performance through step-by-step reasoning, logical consistency, and multi-step self-verification. However, recent studies have shown that reasoning models suffer from overthinking attacks, where models are tricked to generate unnecessarily high number of reasoning tokens. In this paper, we reveal that such overthinking risk can be inherited by RAG systems equipped with reasoning models, by proposing an end-to-end attack framework named Contradiction-Based Deliberation Extension (CODE). Specifically, CODE develops a multi-agent architecture to construct poisoning samples that are injected into the knowledge base. These samples 1) are highly correlated with the use query, such that can be retrieved as inputs to the reasoning model; and 2) contain contradiction between the logical and evidence layers that cause models to overthink, and are optimized to exhibit highly diverse styles. Moreover, the inference overhead of CODE is extremely difficult to detect, as no modification is needed on the user query, and the task accuracy remain unaffected. Extensive experiments on two datasets across five commercial reasoning models demonstrate that the proposed attack causes a 5.32x-24.72x increase in reasoning token consumption, without degrading task performance. Finally, we also discuss and evaluate potential countermeasures to mitigate overthinking risks.

CODE: A Contradiction-Based Deliberation Extension Framework for Overthinking Attacks on Retrieval-Augmented Generation

TL;DR

This work addresses the vulnerability of Retrieval-Augmented Generation systems to end-to-end knowledge-base poisoning that triggers overthinking in embedded reasoning models. It introduces CODE, a tri-agent framework comprising Contradiction Architect, Conflict Weaver, and Style Adapter, which constructs cross-layer contradictions and stylistic variations that are highly retrievable and semantically plausible. Extensive experiments across five commercial reasoning models and two numeric-reasoning datasets show a substantial increase in reasoning tokens (5.32x–24.72x) and task-level amplification (up to ~43x) while preserving answer accuracy, revealing a stealthy and scalable vulnerability in practical RAG deployments. The authors also evaluate defenses, outlining limitations of prompt-based constraints and retrieval filtering, and discuss controllable countermeasures to mitigate overthinking risks in production settings.

Abstract

Introducing reasoning models into Retrieval-Augmented Generation (RAG) systems enhances task performance through step-by-step reasoning, logical consistency, and multi-step self-verification. However, recent studies have shown that reasoning models suffer from overthinking attacks, where models are tricked to generate unnecessarily high number of reasoning tokens. In this paper, we reveal that such overthinking risk can be inherited by RAG systems equipped with reasoning models, by proposing an end-to-end attack framework named Contradiction-Based Deliberation Extension (CODE). Specifically, CODE develops a multi-agent architecture to construct poisoning samples that are injected into the knowledge base. These samples 1) are highly correlated with the use query, such that can be retrieved as inputs to the reasoning model; and 2) contain contradiction between the logical and evidence layers that cause models to overthink, and are optimized to exhibit highly diverse styles. Moreover, the inference overhead of CODE is extremely difficult to detect, as no modification is needed on the user query, and the task accuracy remain unaffected. Extensive experiments on two datasets across five commercial reasoning models demonstrate that the proposed attack causes a 5.32x-24.72x increase in reasoning token consumption, without degrading task performance. Finally, we also discuss and evaluate potential countermeasures to mitigate overthinking risks.
Paper Structure (45 sections, 19 equations, 7 figures, 6 tables, 1 algorithm)

This paper contains 45 sections, 19 equations, 7 figures, 6 tables, 1 algorithm.

Figures (7)

  • Figure 1: Tri-Agent Collaboration Framework for CODE.
  • Figure 2: Token-level Impact of Style Adapter optimization on token expansion and accuracy, where the left plot shows results on the HotpotQA dataset with and without Style Adapter optimization, and the right plot shows results on the Musique dataset.
  • Figure 3: Task-level Impact of Style Adapter optimization on times and proportion, where the left plot shows results on the HotpotQA dataset with and without Style Adapter optimization, and the right plot shows results on the Musique dataset.
  • Figure 4: Example of blueprint construction
  • Figure 5: Details of target model Prompts
  • ...and 2 more figures