Sponge Tool Attack: Stealthy Denial-of-Efficiency against Tool-Augmented Agentic Reasoning
Qi Li, Xinchao Wang
TL;DR
This paper identifies a Denial-of-Efficiency (DoE) vulnerability in tool-augmented LLM agents, where adversarial prompt rewrites can force prolonged reasoning and additional tool calls without changing the task intent. It introduces Sponge Tool Attack (STA), a multi-agent framework that offline-derives a policy bank of rewriting strategies and online uses a Prompt Rewriter, Quality Judge, and Policy Inductor to craft semantically faithful yet more verbose prompts under a read-only access constraint, aiming to maximize computational overhead. Empirically, STA consistently increases tool-calling steps across 6 core models, 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains, with findings that its impact grows with system capability while preserving task semantics. The results underscore a cost-aware vulnerability in tool-augmented reasoning, suggesting the need for defenses that curb unnecessary tool usage without compromising correctness and user intent.
Abstract
Enabling large language models (LLMs) to solve complex reasoning tasks is a key step toward artificial general intelligence. Recent work augments LLMs with external tools to enable agentic reasoning, achieving high utility and efficiency in a plug-and-play manner. However, the inherent vulnerabilities of such methods to malicious manipulation of the tool-calling process remain largely unexplored. In this work, we identify a tool-specific attack surface and propose Sponge Tool Attack (STA), which disrupts agentic reasoning solely by rewriting the input prompt under a strict query-only access assumption. Without any modification on the underlying model or the external tools, STA converts originally concise and efficient reasoning trajectories into unnecessarily verbose and convoluted ones before arriving at the final answer. This results in substantial computational overhead while remaining stealthy by preserving the original task semantics and user intent. To achieve this, we design STA as an iterative, multi-agent collaborative framework with explicit rewritten policy control, and generates benign-looking prompt rewrites from the original one with high semantic fidelity. Extensive experiments across 6 models (including both open-source models and closed-source APIs), 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains validate the effectiveness of STA.
