Papers
Topics
Authors
Recent
Search
2000 character limit reached

Robust Multi-Agent LLMs under Byzantine Faults

Published 9 May 2026 in cs.MA, cs.AI, and cs.LG | (2605.09076v1)

Abstract: LLM agents increasingly collaborate over peer-to-peer networks to improve their reliability. However, these same interactions can also become a source of vulnerability, as unreliable or Byzantine agents may sway neighboring agents toward incorrect conclusions and degrade overall system performance. Existing methods rely on leader-based coordination or self-reported confidence, both of which are susceptible to adversarial manipulation. We study decentralized LLM multi-agent systems (LLM-MAS) and propose Self-Anchored Consensus (SAC), a fully decentralized iterative filter-and-refine protocol in which agents iteratively exchange responses, locally evaluate and filter unreliable messages, and refine their own outputs. We present $(F{+}1)$-robustness conditions for the communication graph that ensure honest agents preserve and propagate reliable information despite Byzantine influence. Experiments on mathematical and commonsense reasoning benchmarks show that SAC effectively suppresses Byzantine influence and consistently improves performance across diverse communication topologies, whereas prior methods degrade under adversarial conditions.

Summary

  • The paper presents a novel Self-Anchored Consensus (SAC) protocol that robustly mitigates Byzantine faults in LLM multi-agent systems.
  • SAC employs receiver-side scoring with MSR-inspired filtering and leverages (F+1)-robust graph topology to ensure reliable consensus.
  • Empirical evaluations show SAC’s superior fault tolerance and accuracy improvement over CP-WBFT across diverse network configurations.

Robust Decentralized Consensus for LLM Multi-Agent Systems under Byzantine Faults

Introduction and Motivation

The deployment of LLMs as agents within decentralized multi-agent systems (MAS) raises fundamental challenges in reliability and adversary resilience. When agents interact over peer-to-peer networks for collaborative problem-solving, the system becomes susceptible to faulty outputs—stemming from hallucinations, reasoning flaws, or explicit adversarial manipulation. The presence of Byzantine agents capable of arbitrary deviations, including the strategic injection of misleading content, can irreparably compromise collective performance if not adequately contained. Existing approaches for collaborative LLM MAS—including confidence-propagation-weighted Byzantine Fault Tolerance (CP-WBFT) and leader-driven protocols—fail to robustly address these threat models, primarily due to their reliance on self-reported metrics or topological weaknesses in graph design.

Problem Formulation and System Model

The work formalizes the core challenge as ensuring robust consensus among reliable LMM agents in the presence of both faulty and adversarial Byzantine agents, in settings where (i) agent communication is restricted to a sparse, non-centrally coordinated network and (ii) only local, natural-language message exchanges are permitted. The Byzantine set encompasses both (1) faulty-but-protocol-abiding agents, which reflect weak model errors, and (2) adversaries whose outputs are arbitrary and potentially inconsistent. The threat model is F-local: any honest agent may have up to FF Byzantine neighbors. The communication graph G=(V,E)G=(V,E) is required to satisfy (F+1)-robustness, providing structural protection against adversarial consensus manipulation.

The Self-Anchored Consensus Protocol

Receiver-Side Evaluation and Filtering

The central methodological contribution is Self-Anchored Consensus (SAC), an iterative, fully decentralized protocol inspired by classical Mean-Subsequence-Reduced (MSR) algorithms. In SAC, each agent performs a four-stage cycle for TT rounds:

  1. Broadcast: The agent sends its current response to neighbors.
  2. Receiver-Side Scoring: Upon receipt, each agent independently evaluates the plausibility of each neighbor’s message via its own LLM scoring function, instantiated by solving and verifying the proposed answer.
  3. F-Filtering: Instead of aggregating all received responses, the agent discards up to FF lowest-scoring neighbor messages (based on its evaluation), retaining only those it scores more reliable than its own outcome.
  4. Refinement: The agent updates its state by instructively re-prompting its LLM using its previous response and the retained high-confidence neighbors’ responses, weighted according to the computed scores.

By construction, this architecture makes the trust signal inaccessible to adversarial manipulation: the receiver’s evaluation is local and Byzantine agents cannot alter their perceived reliability by inflating self-confidence.

Robustness Guarantees

The (F+1)-robustness condition on the communication graph ensures two key properties:

  • Local Guarantee: After filtering, each honest agent always retains at least one neighbor whose message is scored as reliable as any reliable agent’s message.
  • Global Guarantee: The communication subgraph among non-adversarial nodes remains connected, preventing fragmentation and supporting the propagation of reliable information, even if up to FF incoming edges are filtered.

These graph-theoretic conditions bound adversarial influence, ensuring honest agents can propagate and refine correct information through the network.

Empirical Evaluation

A comprehensive experiment suite establishes the empirical merits of SAC relative to CP-WBFT, using multi-step mathematical reasoning (MATH500, Level 4) and heterogeneous commonsense benchmarks (Commonsense170k). Configurations include strong and weak honest agents (gpt-4o-mini/gpt-3.5-turbo or gpt-5/gpt-4o) and a range of adversarial Byzantine agents returning maximally misleading, high-self-confidence responses. Network topologies cover structured (MERG, complete, preferential-attachment) and random (Erdős-Rényi) graphs, all tested at (F+1)-robustness thresholds.

Results

  • Byzantine Fault Tolerance: SAC consistently achieves positive or near-zero BFTI (Byzantine Fault Tolerance Improvement: FAA minus IAA), indicating the protocol not only prevents degradation but frequently uplifts performance across honest agents. In contrast, CP-WBFT always exhibits significant negative BFTI, often degrading group accuracy below the standalone capability of strong agents (e.g., dropping from 84% to 49% in MATH500 under adversarial influence).
  • Strong-vs-Weak group accuracy: SAC preserves the accuracy of strong honest agents across rounds and topologies (e.g., 84→88% on MERG in MATH500), while also improving weak agent performance through iterative refinement. Sender-side confidence (CP-WBFT) settings provide superficial weak-group gains at the expense of catastrophic strong-agent contamination.
  • Topology dependence: While (F+1)-robustness is necessary for adversarial containment, network structure still affects convergence and final performance, with denser or more regular graphs providing marginal additional resilience.

Ablations and Scaling

SAC's resilience persists across varying compositions of adversarial and faulty agents and scales to larger networks (n=9n=9), provided that robustness conditions are maintained. The protocol fails to break only if the underlying receiver-side scoring function is itself compromised (e.g., adversaries that craft plausible but incorrect answers).

Implications and Future Directions

The findings underscore that self-reported trust signals are fundamentally vulnerable in adversarial settings: a single Byzantine agent capable of inflating its confidence score can collapse distributed consensus, a critical insight for LLM MAS design. Transitioning to receiver-side scoring with MSR-style filtering, as instantiated in SAC, is both necessary and sufficient given appropriate topological conditions. This decouples trustworthiness from agent self-assessment and utilizes only decentralized, local information.

From a practical standpoint, SAC enables construction of scalable, robust LLM collectives suitable for high-stakes deployment in distributed decision-making, collaborative tool use, and multi-step automated reasoning. Theoretical implications include establishing graph-theoretic robustness as a core design parameter for AI networks and extending classical control-theoretic consensus principles to the context of natural-language agents.

Open problems remain regarding scalability to dynamic or much larger networks, handling adversaries capable of factoring in receiver scoring functions, and extending protocols to incorporate multi-turn or tool-augmented reasoning. Sophisticated adversarial attacks and adaptive topology management constitute promising further directions.

Conclusion

The study presents a rigorous framework and protocol for Byzantine-resilient consensus in LLM multi-agent systems. The Self-Anchored Consensus approach combines MSR-inspired receiver-side filtering with robustness-aware network design, ensuring honest agents maintain and propagate reliable information despite adversarial contamination. Empirical evidence demonstrates that prior sender-dependent protocols are intrinsically susceptible to collapse, while SAC achieves persistent, topology-invariant performance improvements without centralized coordination. This work paves the way for the development of principled, decentralized, and adversary-resilient LLM multi-agent collectives, with broad significance for secure autonomous systems and distributed AI (2605.09076).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.