ML Security PapersACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
Yusheng Zheng 1, Yiwei Yang 1, Wei Zhang 2, Andi Quinn 1
Published on arXiv
2603.20625
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Surveyed 12 major agent frameworks and found none enforce exactly-once tool-call semantics; confirmed duplicate payments and credential reuse in proof-of-concept experiments
Semantic Rollback Attacks (Action Replay, Authority Resurrection)
Novel technique introduced
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration
Key Contributions
- Identifies semantic rollback attacks (Action Replay and Authority Resurrection) in LLM agent checkpoint-restore mechanisms
- Validates attacks across 12 major agent frameworks (LangGraph, CrewAI, Google ADK, AutoGen, Claude Code, etc.)
- Proposes ACRFence, a framework-agnostic mitigation enforcing replay-or-fork semantics for irreversible tool effects