pith. sign in

arxiv: 2506.22982 · v1 · submitted 2025-06-28 · 💻 cs.CV

Revisiting CroPA: A Reproducibility Study and Enhancements for Cross-Prompt Adversarial Transferability in Vision-Language Models

Atharv Mittal , Agam Pandey , Amritanshu Tiwari , Sukrit Jindal , Swadesh Swain This is my paper

Pith reviewed 2026-05-19 07:02 UTC · model grok-4.3

classification 💻 cs.CV
keywords adversarial attacksvision-language modelscross-prompt transferabilityreproducibility studyCroPAadversarial transferabilityVLMsuniversal perturbations
0
0 comments X

The pith

A reproducibility study confirms CroPA's cross-prompt adversarial transfer in vision-language models and shows targeted enhancements raise attack success rates.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper reproduces the Cross-Prompt Attack, or CroPA, on vision-language models to verify that adversarial perturbations transfer effectively across different text prompts for the same image. The authors find the original results hold on models including Flamingo, BLIP-2, InstructBLIP, and LLaVA, with CroPA outperforming prior baselines in transferability. They then introduce a new initialization method, test universal perturbations that work across images, and create a loss function aimed at the vision encoder's attention patterns. These changes produce higher attack success rates without relying on model-specific tuning. Readers would care because VLMs now handle real tasks that combine images and text, so clearer evidence of their shared weaknesses informs how to evaluate deployment risks.

Core claim

The study validates that CroPA achieves superior cross-prompt transferability compared to existing baselines. The proposed enhancements, including a novel initialization strategy, universal perturbations for cross-image transferability, and a loss function targeting vision encoder attention mechanisms, consistently improve adversarial effectiveness across the tested VLMs.

What carries the argument

The Cross-Prompt Attack (CroPA) that learns image perturbations transferable across varying text prompts, strengthened by a new loss focused on vision encoder attention.

If this is right

  • The original CroPA results hold on multiple prominent VLMs, confirming cross-prompt transferability.
  • A new initialization strategy raises attack success rates for the same models and prompts.
  • Universal perturbations can be learned that transfer across different images as well as prompts.
  • Targeting attention mechanisms in the vision encoder produces better generalization than prior loss designs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Security evaluations of VLMs should now routinely include cross-prompt and cross-image attack tests rather than single-prompt checks.
  • The attention-targeted loss may extend to other multimodal architectures that share similar encoder designs.
  • If these patterns persist at larger scales, real-world image-text systems may require prompt-robust defenses.

Load-bearing premise

The novel loss function targeting vision encoder attention mechanisms improves generalization across models and prompts without post-hoc tuning that inflates reported gains.

What would settle it

Testing the enhanced CroPA on a held-out vision-language model and finding no consistent rise in attack success rate over the original version would undermine the claim that the improvements generalize.

read the original abstract

Large Vision-Language Models (VLMs) have revolutionized computer vision, enabling tasks such as image classification, captioning, and visual question answering. However, they remain highly vulnerable to adversarial attacks, particularly in scenarios where both visual and textual modalities can be manipulated. In this study, we conduct a comprehensive reproducibility study of "An Image is Worth 1000 Lies: Adversarial Transferability Across Prompts on Vision-Language Models" validating the Cross-Prompt Attack (CroPA) and confirming its superior cross-prompt transferability compared to existing baselines. Beyond replication we propose several key improvements: (1) A novel initialization strategy that significantly improves Attack Success Rate (ASR). (2) Investigate cross-image transferability by learning universal perturbations. (3) A novel loss function targeting vision encoder attention mechanisms to improve generalization. Our evaluation across prominent VLMs -- including Flamingo, BLIP-2, and InstructBLIP as well as extended experiments on LLaVA validates the original results and demonstrates that our improvements consistently boost adversarial effectiveness. Our work reinforces the importance of studying adversarial vulnerabilities in VLMs and provides a more robust framework for generating transferable adversarial examples, with significant implications for understanding the security of VLMs in real-world applications.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper conducts a reproducibility study of the Cross-Prompt Attack (CroPA) from prior work on adversarial transferability in Vision-Language Models, validating its superior cross-prompt transferability compared to baselines. It proposes three enhancements: (1) a novel initialization strategy to improve Attack Success Rate (ASR), (2) investigation of cross-image transferability via universal perturbations, and (3) a novel loss function targeting vision encoder attention mechanisms to improve generalization. Evaluations across VLMs including Flamingo, BLIP-2, InstructBLIP, and extended experiments on LLaVA are claimed to validate the original results and demonstrate consistent boosts in adversarial effectiveness.

Significance. If the validations and improvements hold with full experimental support, the work would be significant for adversarial robustness research in multimodal models. It would strengthen evidence for CroPA's cross-prompt advantages and offer a more robust framework for transferable attacks, with implications for VLM security in real-world applications.

major comments (1)
  1. [Abstract] Abstract: The claim that the novel loss function targeting vision encoder attention mechanisms improves generalization across models and prompts (and thereby consistently boosts adversarial effectiveness) is load-bearing for the central contribution, yet the manuscript supplies no equations, pseudocode, ablation results, or details on how post-hoc tuning was avoided. This prevents assessment of whether the loss introduces model-specific assumptions that could inflate the reported cross-model and cross-prompt gains on Flamingo, BLIP-2, InstructBLIP, and LLaVA.
minor comments (1)
  1. The abstract would benefit from explicit definitions of the Attack Success Rate metric and the precise protocol used to measure cross-prompt transferability, as these are central to interpreting the validation claims.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their thorough review and constructive feedback on our reproducibility study of CroPA and the proposed enhancements. We address the major comment below and will revise the manuscript to improve clarity and completeness.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The claim that the novel loss function targeting vision encoder attention mechanisms improves generalization across models and prompts (and thereby consistently boosts adversarial effectiveness) is load-bearing for the central contribution, yet the manuscript supplies no equations, pseudocode, ablation results, or details on how post-hoc tuning was avoided. This prevents assessment of whether the loss introduces model-specific assumptions that could inflate the reported cross-model and cross-prompt gains on Flamingo, BLIP-2, InstructBLIP, and LLaVA.

    Authors: We agree that the abstract is a concise summary and does not contain the technical details of the novel loss function. In the revised manuscript we will add the explicit mathematical formulation of the loss (which penalizes attention dispersion on non-salient image regions) in the methods section, include pseudocode in the appendix, and report dedicated ablation studies isolating its contribution. All hyperparameters were selected once on a held-out validation split and held fixed across Flamingo, BLIP-2, InstructBLIP, and LLaVA; no per-model or per-prompt retuning was performed. These additions will allow direct assessment of generalization without model-specific assumptions. revision: yes

Circularity Check

0 steps flagged

No circularity in empirical reproducibility study of CroPA

full rationale

The paper is a reproducibility study validating original CroPA results on VLMs and proposing empirical enhancements (novel initialization, cross-image perturbations, novel loss targeting vision encoder attention). The abstract and available text contain no equations, derivation chains, predictions, or self-referential steps that reduce to inputs by construction. All claims rest on experimental evaluations across Flamingo, BLIP-2, InstructBLIP, and LLaVA rather than any fitted parameters renamed as predictions or self-citation load-bearing arguments. This matches the default expectation of an honest empirical paper with no circularity signals.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no mathematical derivations, free parameters, axioms, or new postulated entities.

pith-pipeline@v0.9.0 · 5745 in / 1092 out tokens · 40200 ms · 2026-05-19T07:02:58.439376+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.