Amplified Vulnerabilities: Structured Jailbreak Attacks on LLM-based Multi-Agent Debate
It addresses security risks for users of LLM-based multi-agent systems, revealing critical vulnerabilities that require specialized defenses before deployment.
This paper systematically investigates jailbreak vulnerabilities in Multi-Agent Debate (MAD) frameworks, finding they are inherently more vulnerable than single-agent setups, with a proposed attack increasing average harmfulness from 28.14% to 80.34% and achieving up to 80% success rates.
Multi-Agent Debate (MAD), leveraging collaborative interactions among Large Language Models (LLMs), aim to enhance reasoning capabilities in complex tasks. However, the security implications of their iterative dialogues and role-playing characteristics, particularly susceptibility to jailbreak attacks eliciting harmful content, remain critically underexplored. This paper systematically investigates the jailbreak vulnerabilities of four prominent MAD frameworks built upon leading commercial LLMs (GPT-4o, GPT-4, GPT-3.5-turbo, and DeepSeek) without compromising internal agents. We introduce a novel structured prompt-rewriting framework specifically designed to exploit MAD dynamics via narrative encapsulation, role-driven escalation, iterative refinement, and rhetorical obfuscation. Our extensive experiments demonstrate that MAD systems are inherently more vulnerable than single-agent setups. Crucially, our proposed attack methodology significantly amplifies this fragility, increasing average harmfulness from 28.14% to 80.34% and achieving attack success rates as high as 80% in certain scenarios. These findings reveal intrinsic vulnerabilities in MAD architectures and underscore the urgent need for robust, specialized defenses prior to real-world deployment.