More Agents Helps but Adversarial Robustness Gap Persists

When LLM agents work together, they seem to be more powerful than a single LLM in mathematical question answering. However, are they also more robust to adversarial inputs? We investigate this question using adversarially perturbed math questions. These perturbations include punctuation noise with three intensities (10, 30, and 50 percent), plus real-world and human-like typos (WikiTypo, R2ATA). Using a unified sampling-and-voting framework (Agent Forest), we evaluate six open-source models (Qwen3-4B/14B, Llama3.1-8B, Mistral-7B, Gemma3-4B/12B) across four benchmarks (GSM8K, MATH, MMLU-Math, MultiArith), with various numbers of agents n from one to 25 (1, 2, 5, 10, 15, 20, 25). Our findings show that (1) Noise type matters: punctuation noise harm scales with its severity, and the human typos remain the dominant bottleneck, yielding the largest gaps to Clean accuracy and the highest ASR even with a large number of agents. And (2) Collaboration reliably improves accuracy as the number of agents, n, increases, with the largest gains from one to five agents and diminishing returns beyond 10 agents. However, the adversarial robustness gap persists regardless of the agent count.

Key Contributions

• Systematic evaluation of adversarial robustness in multi-agent LLM systems (Agent Forest) under five noise types across six open-source models and four math benchmarks
• Finding that multi-agent collaboration monotonically improves accuracy (0.6579 → 0.7740 from 1 to 25 agents) but does not close the adversarial robustness gap for any noise type
• Taxonomy showing human-like typos (WikiTypo, R2ATA) are the dominant robustness bottleneck, consistently outpacing punctuation noise as the hardest perturbation type regardless of agent count

🛡️ Threat Analysis

Details

Similar Papers