Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

Yusheng Zheng, Yiwei Yang, Wei Zhang, Andi Quinn

Abstract

LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

Abstract

LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration
Paper Structure (6 sections, 1 figure, 1 table)

This paper contains 6 sections, 1 figure, 1 table.

Table of Contents

  1. Background and Motivation
  2. Threat Model
  3. Attacks and Experimental Validation
  4. Mitigation: ACRFence
  5. Related Work
  6. Discussion and Conclusion

Figures (1)

  • Figure 1: Action Replay attack. A malicious payee (Bob) controls an MCP service in the agent's tool chain and triggers a crash after a successful transfer. After restore, the LLM regenerates a different reference ID, so the bank accepts the retried call as a new transaction.