English

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

Cryptography and Security 2026-03-24 v1

Abstract

LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration

Keywords

Cite

@article{arxiv.2603.20625,
  title  = {ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore},
  author = {Yusheng Zheng and Yiwei Yang and Wei Zhang and Andi Quinn},
  journal= {arXiv preprint arXiv:2603.20625},
  year   = {2026}
}
R2 v1 2026-07-01T11:30:58.945Z