Table of Contents
Fetching ...

Sponge Tool Attack: Stealthy Denial-of-Efficiency against Tool-Augmented Agentic Reasoning

Qi Li, Xinchao Wang

TL;DR

This paper identifies a Denial-of-Efficiency (DoE) vulnerability in tool-augmented LLM agents, where adversarial prompt rewrites can force prolonged reasoning and additional tool calls without changing the task intent. It introduces Sponge Tool Attack (STA), a multi-agent framework that offline-derives a policy bank of rewriting strategies and online uses a Prompt Rewriter, Quality Judge, and Policy Inductor to craft semantically faithful yet more verbose prompts under a read-only access constraint, aiming to maximize computational overhead. Empirically, STA consistently increases tool-calling steps across 6 core models, 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains, with findings that its impact grows with system capability while preserving task semantics. The results underscore a cost-aware vulnerability in tool-augmented reasoning, suggesting the need for defenses that curb unnecessary tool usage without compromising correctness and user intent.

Abstract

Enabling large language models (LLMs) to solve complex reasoning tasks is a key step toward artificial general intelligence. Recent work augments LLMs with external tools to enable agentic reasoning, achieving high utility and efficiency in a plug-and-play manner. However, the inherent vulnerabilities of such methods to malicious manipulation of the tool-calling process remain largely unexplored. In this work, we identify a tool-specific attack surface and propose Sponge Tool Attack (STA), which disrupts agentic reasoning solely by rewriting the input prompt under a strict query-only access assumption. Without any modification on the underlying model or the external tools, STA converts originally concise and efficient reasoning trajectories into unnecessarily verbose and convoluted ones before arriving at the final answer. This results in substantial computational overhead while remaining stealthy by preserving the original task semantics and user intent. To achieve this, we design STA as an iterative, multi-agent collaborative framework with explicit rewritten policy control, and generates benign-looking prompt rewrites from the original one with high semantic fidelity. Extensive experiments across 6 models (including both open-source models and closed-source APIs), 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains validate the effectiveness of STA.

Sponge Tool Attack: Stealthy Denial-of-Efficiency against Tool-Augmented Agentic Reasoning

TL;DR

This paper identifies a Denial-of-Efficiency (DoE) vulnerability in tool-augmented LLM agents, where adversarial prompt rewrites can force prolonged reasoning and additional tool calls without changing the task intent. It introduces Sponge Tool Attack (STA), a multi-agent framework that offline-derives a policy bank of rewriting strategies and online uses a Prompt Rewriter, Quality Judge, and Policy Inductor to craft semantically faithful yet more verbose prompts under a read-only access constraint, aiming to maximize computational overhead. Empirically, STA consistently increases tool-calling steps across 6 core models, 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains, with findings that its impact grows with system capability while preserving task semantics. The results underscore a cost-aware vulnerability in tool-augmented reasoning, suggesting the need for defenses that curb unnecessary tool usage without compromising correctness and user intent.

Abstract

Enabling large language models (LLMs) to solve complex reasoning tasks is a key step toward artificial general intelligence. Recent work augments LLMs with external tools to enable agentic reasoning, achieving high utility and efficiency in a plug-and-play manner. However, the inherent vulnerabilities of such methods to malicious manipulation of the tool-calling process remain largely unexplored. In this work, we identify a tool-specific attack surface and propose Sponge Tool Attack (STA), which disrupts agentic reasoning solely by rewriting the input prompt under a strict query-only access assumption. Without any modification on the underlying model or the external tools, STA converts originally concise and efficient reasoning trajectories into unnecessarily verbose and convoluted ones before arriving at the final answer. This results in substantial computational overhead while remaining stealthy by preserving the original task semantics and user intent. To achieve this, we design STA as an iterative, multi-agent collaborative framework with explicit rewritten policy control, and generates benign-looking prompt rewrites from the original one with high semantic fidelity. Extensive experiments across 6 models (including both open-source models and closed-source APIs), 12 tools, 4 agentic frameworks, and 13 datasets spanning 5 domains validate the effectiveness of STA.
Paper Structure (32 sections, 15 equations, 12 figures, 4 tables)

This paper contains 32 sections, 15 equations, 12 figures, 4 tables.

Figures (12)

  • Figure 1: A high-level illustration of Sponge Tool Attack (STA). The goal is to achieve a stealthy yet effective malicious modification of the input prompt under strict access constraints, such that the tool-augmented agentic reasoning process becomes unnecessarily verbose and inefficient, i.e., Denial-of-Efficiency (DoE).
  • Figure 2: The offline policy bank construction process.
  • Figure 3: The sponging process utilizing the policy bank.
  • Figure 4: Left: Benchmark-level comparisons across models. Right: Within-model comparisons across benchmarks (Right). On different models and datasets, STA consistently induces a substantial increase in the number of tool-calling steps.
  • Figure 5: Analysis of STA-induced step changes and rewrite similarity. Left: density-aggregated visualization of the overall behavioral distribution. Middle: cumulative distribution of the change in tool-calling steps. Right: distribution of similarity scores.
  • ...and 7 more figures