{"paper":{"title":"When Efficiency Backfires: Cascading LLMs Trigger Cascade Failure under Adversarial Attack","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Adversarial attacks exploit LLM cascade designs to degrade both accuracy and efficiency.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Dingfan Chen, Songze Li, Zehan Sun","submitted_at":"2026-05-17T06:59:43Z","abstract_excerpt":"Large Language Model (LLM) cascade systems are designed to balance efficiency and performance by processing queries with lightweight models while selectively escalating complex cases to more powerful ones. Such systems seek to reduces computational cost and latency while maintaining task performance, making it an appealing choice for large-scale deployment. However, the cascade design introduces new vulnerabilities through an expanded attack surface: the inclusion of lightweight front-end models and internal decision mechanisms introduces new weaknesses. In this work, we present the first stud"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"We present the first study demonstrating that LLM cascade systems are susceptible to targeted adversarial manipulation, which disrupts both performance objectives and the intended cost advantages of the cascade design.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The inclusion of lightweight front-end models and internal decision mechanisms in the cascade design necessarily expands the attack surface in ways that prior standalone-model attacks cannot exploit.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"LLM cascade systems are vulnerable to a new adversarial attack that simultaneously degrades accuracy and destroys the intended cost savings by targeting both the lightweight models and the escalation decision mechanism.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Adversarial attacks exploit LLM cascade designs to degrade both accuracy and efficiency.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"cb7b2bc97a57c3038a7f3e0690a887162bddcf88285de8643163b5359c1fb197"},"source":{"id":"2605.17288","kind":"arxiv","version":1},"verdict":{"id":"848b067b-d14f-4aac-99a6-cae376617897","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-19T23:55:09.417168Z","strongest_claim":"We present the first study demonstrating that LLM cascade systems are susceptible to targeted adversarial manipulation, which disrupts both performance objectives and the intended cost advantages of the cascade design.","one_line_summary":"LLM cascade systems are vulnerable to a new adversarial attack that simultaneously degrades accuracy and destroys the intended cost savings by targeting both the lightweight models and the escalation decision mechanism.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The inclusion of lightweight front-end models and internal decision mechanisms in the cascade design necessarily expands the attack surface in ways that prior standalone-model attacks cannot exploit.","pith_extraction_headline":"Adversarial attacks exploit LLM cascade designs to degrade both accuracy and efficiency."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.17288/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"doi_compliance","ran_at":"2026-05-20T00:03:22.673189Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_title_agreement","ran_at":"2026-05-20T00:01:20.660531Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"claim_evidence","ran_at":"2026-05-19T22:01:57.818452Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"ai_meta_artifact","ran_at":"2026-05-19T21:33:23.768072Z","status":"skipped","version":"1.0.0","findings_count":0}],"snapshot_sha256":"ff1c44e5ba8f35322c5bdf94cf4cdafe6ff5a0ca6dc402f6c24c757f54dc5a5f"},"references":{"count":85,"sample":[{"doi":"","year":2023,"title":"GPT-4 Technical Report","work_id":"b928e041-6991-4c08-8c81-0359e4097c7b","ref_index":1,"cited_arxiv_id":"2303.08774","is_internal_anchor":true},{"doi":"","year":2024,"title":"The claude 3 model family: Opus, sonnet, haiku, 2024","work_id":"8e7d4999-7ff2-447c-bd2d-c9e35112083b","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Gemini: A Family of Highly Capable Multimodal Models","work_id":"83f7c85b-3f11-450f-ac0c-64d9745220b2","ref_index":3,"cited_arxiv_id":"2312.11805","is_internal_anchor":true},{"doi":"","year":2024,"title":"DeepSeek-V3 Technical Report","work_id":"57d2791d-2219-4c31-a077-afc04b12a75c","ref_index":4,"cited_arxiv_id":"2412.19437","is_internal_anchor":true},{"doi":"","year":2023,"title":"Qwen Technical Report","work_id":"bb1fd52f-6b2f-437c-9516-37bdf6eb9be8","ref_index":5,"cited_arxiv_id":"2309.16609","is_internal_anchor":true}],"resolved_work":85,"snapshot_sha256":"9f556fe1156c8c6a36f07dd55c791f9c9c5d1e5626d34fe5ba6e85e0e44c841d","internal_anchors":12},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}