Don't Trust Your Upstream: Exploiting LLM Multi-Agent System via Topology-Guided Adversarial Propagation

TL;DR

This paper introduces a topology-aware adversarial attack method on LLM-based multi-agent systems, revealing significant vulnerabilities and proposing a mitigation strategy to enhance security.

Contribution

It presents a novel topology-guided attack scheme that propagates adversarial contamination through MASs, demonstrating practical black-box attack success and proposing a mitigation approach.

Findings

Achieves 40-78% success rate on three MAS frameworks

Reaches 85% success on two real-world MAS applications

Proposes a topology-trust mitigation blocking 94.8% of attacks

Abstract

The digital world is witnessing the rapid rise of LLM-based multi-agent systems (MASs) and their powerful applications. However, their security remains insufficiently understood, as existing evaluations are largely limited to narrow attack settings and may substantially underestimate the real risks of MAS deployments. Inspired by the MAS inter-agent dependencies, where upstream outputs are reinterpreted and executed by downstream agents, we propose a topology-aware attack scheme that propagates adversarial contamination from exposed edge agents to high-privilege agents to induce malicious behaviors. By combining topology reconnaissance, contamination propagation modeling, and hierarchical payload encapsulation, our approach overcomes the key challenges of black-box attacks and makes such multi-hop compromise practical. Experiments show that our approach achieves success rates of 40\%--78\% on three widely-used MAS frameworks under five topologies, and 85\% on two real-world MAS applications across 20 representative scenarios. The results reveal fundamental vulnerabilities in MASs that have been overlooked by prior studies. Based on these findings, we propose a topology-trust mitigation that blocks 94.8\% of such composite attacks.