ML Security PapersBlockA2A: Towards Secure and Verifiable Agent-to-Agent Interoperability
Zhenhua Zou , Zhuotao Liu , Lepeng Zhao , Qiuyang Zhan
Published on arXiv
2508.01332
Excessive Agency
OWASP LLM Top 10 — LLM08
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
BlockA2A neutralizes prompt-based, communication-based, behavioral, and systemic MAS attacks with sub-second overhead, enabling scalable production deployment
BlockA2A / Defense Orchestration Engine (DOE)
Novel technique introduced
The rapid adoption of agentic AI, powered by large language models (LLMs), is transforming enterprise ecosystems with autonomous agents that execute complex workflows. Yet we observe several key security vulnerabilities in LLM-driven multi-agent systems (MASes): fragmented identity frameworks, insecure communication channels, and inadequate defenses against Byzantine agents or adversarial prompts. In this paper, we present the first systematic analysis of these emerging multi-agent risks and explain why the legacy security strategies cannot effectively address these risks. Afterwards, we propose BlockA2A, the first unified multi-agent trust framework that enables secure and verifiable and agent-to-agent interoperability. At a high level, BlockA2A adopts decentralized identifiers (DIDs) to enable fine-grained cross-domain agent authentication, blockchain-anchored ledgers to enable immutable auditability, and smart contracts to dynamically enforce context-aware access control policies. BlockA2A eliminates centralized trust bottlenecks, ensures message authenticity and execution integrity, and guarantees accountability across agent interactions. Furthermore, we propose a Defense Orchestration Engine (DOE) that actively neutralizes attacks through real-time mechanisms, including Byzantine agent flagging, reactive execution halting, and instant permission revocation. Empirical evaluations demonstrate BlockA2A's effectiveness in neutralizing prompt-based, communication-based, behavioral and systemic MAS attacks. We formalize its integration into existing MAS and showcase a practical implementation for Google's A2A protocol. Experiments confirm that BlockA2A and DOE operate with sub-second overhead, enabling scalable deployment in production LLM-based MAS environments.
Key Contributions
- First systematic analysis of security vulnerabilities in LLM-driven multi-agent systems (fragmented identity, insecure channels, Byzantine agents, adversarial prompts)
- BlockA2A framework using decentralized identifiers (DIDs), blockchain-anchored ledgers, and smart contracts for verifiable cross-domain agent authentication and immutable auditability
- Defense Orchestration Engine (DOE) providing real-time Byzantine agent flagging, reactive execution halting, and permission revocation with sub-second overhead