Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems

LLM-based multi-agent systems (MASs) have reshaped the digital landscape with their emergent coordination and problem-solving capabilities. However, current security evaluations of MASs are still confined to limited attack scenarios, leaving their security issues unclear and likely underestimated. To fill this gap, we propose TOMA, a topology-aware multi-hop attack scheme targeting MASs. By optimizing the propagation of contamination within the MAS topology and controlling the multi-hop diffusion of adversarial payloads originating from the environment, TOMA unveils new and effective attack vectors without requiring privileged access or direct agent manipulation. Experiments demonstrate attack success rates ranging from 40% to 78% across three state-of-the-art MAS architectures: \textsc{Magentic-One}, \textsc{LangManus}, and \textsc{OWL}, and five representative topologies, revealing intrinsic MAS vulnerabilities that may be overlooked by existing research. Inspired by these findings, we propose a conceptual defense framework based on topology trust, and prototype experiments show its effectiveness in blocking 94.8% of adaptive and composite attacks.

Key Contributions

• TOMA: a topology-aware multi-hop attack that models adversarial contamination propagation through MAS agent graphs to identify optimal attack paths without requiring privileged access or agent impersonation
• Hierarchical payload encapsulation scheme that recursively embeds attack path instructions into inter-agent messages to preserve adversarial payload integrity across multiple hops
• Conceptual topology-trust defense framework that blocks 94.8% of adaptive and composite attacks, validated across Magentic-One, LangManus, and OWL architectures

🛡️ Threat Analysis

Details

Similar Papers