Papers
Topics
Authors
Recent
Search
2000 character limit reached

Benchmark Contamination in Model Evaluation

Updated 5 July 2026
  • Benchmark contamination is the leakage of test or similar data into model training, leading to artificially high performance results.
  • It encompasses various forms of leakage such as direct train-test overlap, exposure to annotation guidelines, and semantic information leakage.
  • Detection methods range from corpus auditing and overlap metrics to statistical testing and watermarking, guiding mitigation and decontamination strategies.

Benchmark contamination is the exposure of benchmark test data, or close variants of it, to a model during pre-training, fine-tuning, or deployment-time learning, so that evaluation no longer measures generalization on unseen data. The phenomenon includes direct train–test overlap, ingestion of raw source texts, exposure to annotation guidelines or labels, semantic or informational leakage, and operational definitions in which contamination is treated as artificially inflated, non-generalizing benchmark performance rather than literal membership alone. Across NLP, multilingual evaluation, NL2SQL, coding, and reasoning-model leaderboards, the reported consequence is score inflation, distorted model ranking, and compromised scientific conclusions (Sainz et al., 2023, Xu et al., 2024, Dekoninck et al., 2024).

1. Definition and conceptual scope

A central formulation defines contamination as the case in which a LLM is trained on the test split of a benchmark and is then evaluated on that same benchmark. In that formulation, the worst case is test-split contamination, which invalidates any performance claim; train/dev-split contamination is less severe, but still invalidates zero-shot or few-shot claims. The same account distinguishes guideline contamination, where the model has seen annotation instructions and label definitions; raw-text contamination, where it has ingested the unannotated source text used to build the benchmark; and annotation contamination, where it has seen benchmark labels (Sainz et al., 2023).

A broader exposure taxonomy distinguishes semantic, information, data, and label levels. At the semantic level, the model sees identical or highly similar content; at the information level, it sees metadata such as label distributions or dataset timestamps; at the data level, it sees test inputs without labels; and at the label level, it sees full input–label pairs. A related formulation for evaluation-time mitigation distinguishes exact, semantic, and domain contamination according to whether the leakage set is a subset of the test set, semantically equivalent to it, or drawn from the same distribution (Xu et al., 2024, Chai et al., 27 Jan 2026).

Another distinction concerns the training objective. PaCoST defines Type I contamination as next-token prediction over the concatenation (x,y)(x,y), minimizing logP(x,y)-\log \mathcal{P}(x,y), and Type II contamination as next-token prediction conditioned on the instruction only, minimizing logP(yx)-\log \mathcal{P}(y \mid x). This makes explicit that leakage may concern either the full benchmark item or only the answer given the prompt (Zhang et al., 2024).

A performance-centered definition departs from membership alone. ConStat defines contamination as a model’s benchmark performance being artificially inflated and non-generalizing relative to a primary benchmark and a reference benchmark of the same task family. This suggests that contamination is not reducible to exact duplicate detection: a model may behave as contaminated when its benchmark advantage fails to transfer to rephrased samples, synthetic samples from the same distribution, or another benchmark for the same task (Dekoninck et al., 2024).

2. Formalizations and quantitative criteria

For open models with transparent corpora, one proposed measure is benchmark–data overlap. Given a pre-training corpus DD and a benchmark BB,

Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.

Its interpretation is the fraction of benchmark tokens or examples that can be found verbatim in the model’s training data (Sainz et al., 2023).

For closed models, an alternative is the extractability ratio. If dd is an evaluation dataset and mm is a model, an example sds \in d is extractable if some prompt context causes mm to reproduce logP(x,y)-\log \mathcal{P}(x,y)0 exactly. The degree of contamination is then

logP(x,y)-\log \mathcal{P}(x,y)1

This operationalizes contamination as the fraction of evaluation examples memorized verbatim (Sainz et al., 2023).

A simpler risk formulation defines

logP(x,y)-\log \mathcal{P}(x,y)2

with expected contamination rate

logP(x,y)-\log \mathcal{P}(x,y)3

where logP(x,y)-\log \mathcal{P}(x,y)4. In practice, this formulation emphasizes that even when the training corpus is unknown, exposure probability can be treated conservatively (Jacovi et al., 2023).

Performance-based formulations attempt to estimate inflation directly. ConStat constructs a hardness-correction function logP(x,y)-\log \mathcal{P}(x,y)5 from uncontaminated reference models and defines

logP(x,y)-\log \mathcal{P}(x,y)6

A model is contaminated for logP(x,y)-\log \mathcal{P}(x,y)7 if its score on the primary benchmark exceeds the reference-based expectation; bootstrap lower confidence bounds then produce a logP(x,y)-\log \mathcal{P}(x,y)8-value for testing contamination (Dekoninck et al., 2024).

Dataset-level contamination can also be parameterized as a latent fraction. KDS writes an evaluation set as logP(x,y)-\log \mathcal{P}(x,y)9 with

logP(yx)-\log \mathcal{P}(y \mid x)0

and measures the divergence between pre-fine-tuning and post-fine-tuning kernel similarity matrices of sample embeddings. In controlled experiments, the resulting Kernel Divergence Score showed near-perfect monotonicity with logP(yx)-\log \mathcal{P}(y \mid x)1 and high consistency across random splits (Choi et al., 2 Feb 2025).

A further aggregation-oriented framework, DCR, scores four levels—semantic, informational, data, and label contamination—via prompt-based checks, combines them with a Mamdani fuzzy inference system, and adjusts raw accuracy by

logP(yx)-\log \mathcal{P}(y \mid x)2

The intended use is contamination-aware reporting rather than only binary detection (Xu et al., 15 Jul 2025).

3. Detection methodologies

For open models, contamination detection often begins with direct corpus auditing. Proposed methods include string matching on pre-training corpora, as in Dodge et al. (2021), and large-scale auditing tools such as ROOTS search and Data Portraits. A more elaborate retrieval pipeline was built on Pyserini over The Pile and C4 using BM25 indexing, top-logP(yx)-\log \mathcal{P}(y \mid x)3 retrieval with logP(yx)-\log \mathcal{P}(y \mid x)4, overlapping 13-gram chunking, and chunk–example scoring via cosine similarity, Jaccard index, n-Gram logP(yx)-\log \mathcal{P}(y \mid x)5, BM25, or GPTScore. For each example, the maximum chunk score becomes its contamination indicator, and the benchmark-level score is the average of these maxima (Sainz et al., 2023, Deng et al., 2023).

For proprietary or otherwise opaque models, memorization-based probing is common. TS-Guessing masks either a key token in a question or a wrong answer option in a multiple-choice item and tests whether the model reconstructs the hidden content. The overall guessing success rate is

logP(yx)-\log \mathcal{P}(y \mid x)6

This procedure is intended to expose benchmark familiarity without requiring access to the training corpus (Deng et al., 2023).

PaCoST replaces overlap search with paired confidence testing. For each original instruction logP(yx)-\log \mathcal{P}(y \mid x)7, it generates a rephrased counterpart logP(yx)-\log \mathcal{P}(y \mid x)8, estimates a confidence difference logP(yx)-\log \mathcal{P}(y \mid x)9, and performs a one-sided paired-samples DD0-test of DD1 versus DD2. If DD3, the benchmark is declared contaminated. The method is designed to be training-data-access free, contamination-type free, training-data-length free, stable, and threshold free (Zhang et al., 2024).

Another black-box method is the shard-level permutation test used for multilingual benchmarks. The evaluation set is partitioned into DD4 shards, each shard is scored in canonical order and under DD5 random permutations, and the shard DD6-value is

DD7

With DD8, contamination is reported if any shard is significant (Ahuja et al., 2024).

More task-specific detectors probe robustness rather than direct recall. SPENCE generates 10 paraphrases of each NL2SQL query, ranks them by dependency-tree Tree Edit Distance, and measures execution-accuracy degradation and Kendall’s DD9 as syntactic divergence increases. Cross-Context Verification solves the same coding benchmark problem in BB0 independent sessions, computes solution diversity and gold proximity, and uses a contamination score derived from diversity, proximity, and variance; on 9 SWE-bench Verified problems it reported perfect separation between contaminated and genuine reasoning by Mann–Whitney BB1, BB2, and BB3 (Safarzadeh et al., 20 Apr 2026, Song, 23 Mar 2026).

4. Empirical evidence across benchmarks and modalities

In QA-style benchmarks, retrieval-based overlap and slot-guessing produce substantial signals. Using top-10 retrieval and 13-gram ROUGE-L, average maximum overlaps were reported as 35% for MMLU in The Pile and 37% in C4, and 43% for TruthfulQA in The Pile and 34% in C4. Under question-multichoice TS-Guessing, ChatGPT and GPT-4 reached exact-match rates of 0.52 and 0.57 on MMLU test data; for TruthfulQA question-based guessing, exact match without hint was 0.16 for ChatGPT and 0.17 for GPT-4, rising to 0.25 and 0.29 with a URL hint. After fine-tuning ChatGPT on the MMLU test set, TS-Guessing exact match approached 1.00 (Deng et al., 2023).

Multilingual evaluation shows similar breadth. A black-box contamination report on 7 multilingual benchmarks and 7 models found statistically significant contamination in 45 of 49 benchmark–model pairs, with only 4 pairs not significant; every dataset was contaminated in at least five of the seven models. Instruction tuning did not systematically purge contamination, and almost all tested models showed signs of contamination with almost all tested benchmarks (Ahuja et al., 2024).

Time-based benchmark construction yields further evidence that pre-cutoff knowledge inflates performance. AntiLeak-Bench formalizes contamination via facts BB4 and treats knowledge-cutoff time as a proxy. Its experiments reported that performance on pre-cutoff items is uniformly higher than on post-cutoff items, with BB5 up to 10–20 points. Post-cutoff generation EM/F1 averages remained under 50% for most open-source LLMs, while GPT-4o reached approximately 77/88 (Wu et al., 2024).

Task-specific studies show domain variation rather than uniform severity. In NL2SQL, SPENCE reported a temporal gradient: Spider had BB6 with 95% CI BB7, SParC had BB8, CoSQL had BB9, and BIRD had Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.0 with confidence intervals spanning zero. The stylized execution-accuracy degradation on Spider reached about Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.1 to Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.2 for paraphrase ranks 8–10, whereas BIRD showed only Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.3 to Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.4 (Safarzadeh et al., 20 Apr 2026).

Performance-based detection also identifies contamination in popular open models. ConStat reported, for example, a sample-specific contamination effect of Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.5 on GSM8K for Mistral-7B v0.1 with Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.6, and Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.7 on ARC for Llama-3-70B with Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.8. It further reported contamination signals in the top-3 Open LLM Leaderboard models on GSM8K, with Overlap(D,B)=DBB.\mathrm{Overlap}(D,B)=\frac{|D \cap B|}{|B|}.9, dd0, and dd1 and sub-1% dd2-values (Dekoninck et al., 2024).

Watermark-based detection demonstrates that contamination can be statistically detected when it produces measurable gains. In controlled pre-training of 1B models on 10B tokens, ARC-Easy contamination of 4, 8, and 16 benchmark injections yielded dd3, dd4, and dd5 accuracy gains, with corresponding dd6 values of about 3.0, 5.5, and greater than 12. The same study states that even a 5% performance boost on ARC-Easy yields dd7, while watermarking preserved benchmark utility with less than 1% absolute accuracy shift on Llama-3 variants (Sander et al., 24 Feb 2025).

5. Prevention, mitigation, and decontamination

The most immediate recommendations concern benchmark stewardship. Proposed practices include releasing only source text while keeping test labels private or behind an evaluation server, building new benchmarks with non-public test splits or dynamic data collection, publishing full training corpora and search/export APIs for open models, disclosing any inclusion of standard benchmarks in fine-tuning or deployment logs for closed models, requiring contamination checks in papers, and maintaining registries such as the LM Contamination Index. Workshop-based coordination and collaborative audits are also explicitly recommended (Sainz et al., 2023).

Practical operational controls have also been proposed. One strategy is to publish public test data only as ciphertext under a public key and a “No Derivatives” license such as CC BY-ND 4.0; another is to require closed APIs to support "exclude_from_training": true flags with cryptographic receipts or signed tokens and append-only audit logs; a third is to release web-context metadata—URL, snapshot, timestamp, DOM or JSON context—for internet-derived benchmarks so that trivially leaky instances can be filtered. These controls are framed as practical for sincere actors rather than adversarially robust guarantees (Jacovi et al., 2023).

A stronger design objective is contamination resistance. One proposal defines a transformation dd8 to be contamination-resistant with respect to a model dd9 if it satisfies inference utility and unlearnability, so that training on mm0 does not improve downstream generalization. The same proposal requires irreversibility, equivalence, and interoperability, and exploits Transformer training–inference asymmetry by releasing only cached key–value pairs, the penultimate hidden state, and the plaintext label, rather than plaintext benchmark inputs (Al-Lawati et al., 19 May 2026).

Automated construction of new, explicitly uncontaminated benchmarks is another line of work. AntiLeak-Bench identifies updated facts from post-cutoff Wikidata claims, retrieves the first Wikipedia revision whose timestamp is at least the update time, verifies mentions of the relevant entities, and constructs single-hop and multi-hop QA samples with and without distractors. It describes itself as fully automated, multilingual, and strictly contamination-free, and is motivated by the claim that merely collecting new data does not guarantee novelty (Wu et al., 2024).

Watermarking benchmarks before release offers a post hoc audit mechanism. Questions are rephrased token by token with a secret-key-conditioned greenlist bias, and later a binomial radioactivity test is applied to the suspect model’s predictions under the null that green-token hits are Bernoullimm1. This approach is intended to detect whether the model absorbed the benchmark during training while leaving benchmark utility substantially unchanged (Sander et al., 24 Feb 2025).

Post hoc decontamination includes both benchmark selection and inference-time intervention. JECS formulates multi-model decontamination as joint selection, computes conformal mm2-values per model, aggregates them by mm3, fits an envelope to correct the super-uniformity tax, and applies adaptive Storey-BH to produce a shared decontaminated benchmark with asymptotic global contamination rate control. DeconIEP instead preserves the benchmark and perturbs input embeddings at inference time, with bounded mm4 perturbations guided by a less-contaminated reference model; it reports low residual contamination and minimal benign utility drop, often under 0.05, across MMLU, TruthfulQA, and HumanEval (Liu et al., 20 May 2026, Chai et al., 27 Jan 2026).

6. Limitations, controversies, and open problems

A recurring result is that mitigation strategies often trade off contamination resistance against benchmark fidelity. A controlled evaluation over 10 LLMs, 5 benchmarks, 20 mitigation strategies, and 2 contamination scenarios concluded that no existing strategy significantly improves resistance over the vanilla case across all benchmarks, and none effectively balances fidelity and contamination resistance. In the reported averages, Vanilla had Fidelity mm5, Resistance mm6 under mild contamination, and mm7 under intensive contamination; ITD improved resistance to mm8 and mm9 but reduced fidelity to sds \in d0, while MPA reduced fidelity further to sds \in d1 (Sun et al., 20 Mar 2025).

Another controversy concerns detector fragility in modern reasoning models. In LRMs, contamination introduced during supervised fine-tuning can initially be identified—reference-free detectors reached AUROC around 73% on six benchmarks and LiRA about 89%—but a short run of GRPO training on clean data collapsed the member/non-member NLL gap and reduced AUROC across all detectors, often to near-random, approximately 50%. When chain-of-thought contamination was applied to advanced LRMs for seven epochs, pass@1 inflated by at least 10%, yet all ten evaluated detectors again collapsed to AUROC around 50% on six benchmarks. The paper attributes the concealment effect to PPO-style importance sampling and clipping (Wang et al., 30 Sep 2025).

This fragility has motivated broader audits of contamination sensitivity and score confidence. In a router–worker audit, noisy benchmark perturbations with parallel routers sds \in d2 sometimes outperformed the clean-control condition; at sds \in d3, 10 of 12 models exceeded baseline, and at sds \in d4 the mean positive excess was 0.086 with net improve sds \in d5. The interpretation offered is that similar benchmark scores may carry substantially different levels of confidence because perturbation can reactivate contamination-related memory (Song et al., 23 Mar 2026).

A further misconception is that contamination is only a binary property of a benchmark. Know2Guess instead treats contamination risk as metadata with tags sds \in d6 and reports performance sliced by contamination risk, answerability zone, parser, and prompt variant. Under its official strict parser, Qwen2.5-3B-Instruct achieved overall reliability sds \in d7 with 95% CI sds \in d8–sds \in d9, Zone D abstention mm0, and refusal mm1; prompt and parser robustness analyses preserved the main ranking and qualitative conclusions. This suggests that contamination interacts with abstention, refusal, calibration, and parser sensitivity rather than operating as a single scalar alone (Meng et al., 30 Apr 2026).

The field therefore converges on several open directions: contamination-resistant benchmark construction, robust black-box auditing for closed models, evaluation protocols that remain informative after RL and CoT training, shared contamination registries, and contamination-aware reporting that includes effect sizes or adjusted scores rather than raw accuracy alone. The common premise is that benchmark scores remain useful only when the contamination pathway, contamination severity, and uncertainty of the score are made explicit (Sainz et al., 2023, Al-Lawati et al., 19 May 2026, Dekoninck et al., 2024).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (20)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Benchmark Contamination.