ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

Computer Science > Cryptography and Security [Submitted on 21 Mar 2026] ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore Yusheng Zheng, Yiwei Yang, Wei Zhang, Andi Quinn LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generated requests as new, enabling duplicate payments, unauthorized reuse of consumed credentials, and other irreversible side effects; we term these semantic rollback attacks. We identify two attack classes, Action Replay and Authority Resurrection, validate them in a proof of concept experiment, and confirm that the problem has been independently acknowledged by framework maintainers. We propose ACRFence, a framework-agnostic mitigation that records irreversible tool effects and enforces replay-or-fork semantics upon restoration Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2603.20625 [cs.CR]   (or arXiv:2603.20625v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.20625 Focus to learn more Journal reference: CoDAIM workshop 2026 Submission history From: Yusheng Zheng [view email] [v1] Sat, 21 Mar 2026 03:39:36 UTC (108 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)