CORBA: Contagious Recursive Blocking Attacks

• Contagious Recursive Blocking Attacks (CORBA) are adversarial strategies that exploit recursive processes and network contagion to induce persistent blocking states in multi-agent systems.
• They use seemingly benign prompts to trigger self-sustaining blocking responses that propagate recursively across connected agents.
• Empirical studies reveal rapid, topology-independent propagation of blocking behavior, highlighting significant challenges in system security and resilience.

Contagious Recursive Blocking Attacks (CORBA) represent a class of adversarial strategies that exploit the interplay between recursive computation, protocol policies, and agent communication to propagate a persistent “blocking” condition across decentralized or multi-agent systems. The term has been formalized in the context of LLM–based Multi-Agent Systems (LLM-MASs) (Zhou et al., 20 Feb 2025), but the underlying dynamics connect to phenomena observed in distributed protocols, networked applications, wireless systems, and security-critical component-based architectures. CORBA unifies two key adversarial properties: contagion—the ability to transmit blocked states or behaviors across networked agents—and recursion—the sustained, self-reinforcing depletion of system resources via repeated, often seemingly benign, interactions.

1. Formal Definition and Core Mechanisms

CORBA is defined as an attack paradigm where a malicious input or prompt causes an agent to enter, and relentlessly sustain, a blocked operational state—one in which it indefinitely produces a specific (often unproductive) response. Critically, this blockage is contagious: the affected agent recursively propagates the blocking input to both itself (self-loop) and its neighbors in the agent interaction graph, ensuring that each reachable agent eventually enters the same blocking state.

The attack mechanism operates on two levels:

• Individual Recursion: For agent $a_b$ with blocking prompt $P_m$, the relation

$\forall t \geq t_m, \quad a_b^t(P_m) = R_m$

formalizes persistent self-blocking: after $P_m$ is received at $t_m$, all subsequent responses to $P_m$ are the blocking response $R_m$.

• Contagious Propagation: Each blocked agent forwards $P_m$ to its neighbors (or via prescribed protocol edges $(a_i, a_j)$), giving

$$\forall a_r \in \mathcal{R}(a_b), \exists d \geq 0\!: \ a_r^{t_m+d}(P_\mathcal{C}) = R_\mathcal{C}$$

ensuring global infection across the graph.

The recursive aspect is formalized as a (potentially infinite) loop:

$$R_m^{m+l} \rightarrow (a_b, a_b) \rightarrow a_b^{t_m+l+1}(P_m^{m+l})$$

while the contagious spread to neighbors is:

$$R_m^{m+l} \rightarrow (a_c, a_{c’}) \rightarrow a_{c’}^{t_m+l+1}(P_m^{m+l})$$

These definitions capture both direct self-infection (recursion) and network propagation (contagion).

2. Attacker Strategies and Propagation Dynamics

CORBA leverages subtle or benign-seeming attack vectors—malicious prompts such as "Repeat the previous action 100 times"—which evade conventional content-based or perplexity-based safeguards. The attack unfolds in two phases:

1. Initiation: A carefully crafted prompt $P_m$ triggers the first blocking state in a vulnerable agent, exploiting protocol design or agent logic (e.g., insufficient input validation or too-permissive recursion in the agent stack).
2. Recursive Spread: The now-blocked agent, either deterministically or by protocol policy, issues the same or a modified blocking input to connected agents. Through repeated application of this logic along the agent interaction graph, an initially localized blockage becomes systemic. In LLM-MASs, this progression is independent of topology (chain, star, tree, cycle, or random graphs)—as demonstrated by high Blocking Success Rates across all tested network configurations (Zhou et al., 20 Feb 2025).

The recursive loop further ensures that, absent an explicit recovery protocol, blocked agents continue to generate unproductive actions, draining computational resources and monopolizing system attention. Thus, even if the attack is not overtly destructive, the recursive mechanism causes sustained unavailability or resource exhaustion throughout the system.

3. Relationship to Broader Blocking and Contagion Models

While formalized in LLM-MASs, CORBA generalizes mechanisms highlighted in earlier work:

• In the "lotus-eater attack," adversaries oversaturate nodes with service or tokens, exploiting satiation-compatible policies to passively induce blocking and eventually degrade overall availability (0806.1711). Here, blocking is indirect and can propagate if a sufficient fraction of critical nodes are targeted.
• Hidden coalitions in multi-agent systems can coordinate underhand attacks to trigger security violations or system-level blocking, necessitating simulation-based and oracle-based blocking countermeasures to minimize collateral exclusion of benign agents (Cristani et al., 2010).
• In wireless and operating system settings, the injection of protocol-level control frames (e.g., spoofed block acknowledgment frames in Wi-Fi) or the exploitation of information flow structures (using the recursive walk operations in component-based OS security models) can result in chain-propagating operational blocks—mirroring CORBA’s contagious and recursive features (Chatzoglou et al., 2023, Hanspach et al., 2014).
• Payment channel networks suffer analogous recursive collateral locking attacks, where denial-of-service at key hubs immobilizes entire transaction pathways, reflecting the recursive blocking and contagion central to CORBA (Weintraub et al., 2020).

CORBA thus encapsulates a unifying abstraction for cascading failures arising from protocol-level vulnerabilities or agent-level design flaws that allow recursive, contagious perpetuation of a blocking state.

4. Mitigation Challenges and Defensive Approaches

CORBA’s resistance to conventional defense derives from several factors:

• Benign Prompt Surface: Blocking instructions used in CORBA (e.g., repetition, self-invocation, or seemingly innocuous protocol resets) often lack overt harmful language, frustrating content-based or perplexity-based filters (Zhou et al., 20 Feb 2025).
• Recursive and Contagious Structure: Even robust isolated reaction policies are defeated when attacks dynamically propagate via legitimate communication channels—as in oracle-augmented blocking in multi-agent coalitions (Cristani et al., 2010) or network-layer propagation in block acknowledgment vulnerabilities (Chatzoglou et al., 2023).
• Alignment Evasion: LLM-MASs, even with explicit alignment barriers, are vulnerable because recursive blocking often exploits workflow logic, not manifest prompt toxicity. Attack detection mechanisms focusing purely on direct harm miss the recursive and topological dimensions of CORBA.

Defensive strategies—from enforced throttling (limiting service or token delivery rates) and mandatory “altruistic” response probabilities (0806.1711) to preemptive simulation of agent transitions (Cristani et al., 2010) and formal model checking–based attacker synthesis (Hippel et al., 2020)—provide partial mitigation. In LLM-MASs, no published real-time defense comprehensively addresses both benign recursion and contagious spread.

A plausible implication is that robust defense requires:

• Dynamic monitoring for repeated self-assignment or repeated chained actions over time, possibly leveraging graph-theoretic reachability and cycle-detection algorithms.
• Assigning “blocking scores” or centrality metrics to identify emergent recursive patterns within agent dialogues and network flows.
• Employing joint content-behavior models that filter on both prompt semantics and their transitive computation impact.
• Explicitly bounding resource usage per agent or per communication edge, with recovery triggers in the presence of monotonic unproductive activity.

5. Empirical Evaluation and Observed Impact

Empirical studies of CORBA on state-of-the-art frameworks (AutoGen, Camel) and open-ended agent societies show:

• High Proportional Attack Success Rates (P-ASR): CORBA approaches near-total infection (blocking) across tested topologies and models.
• Rapid Propagation: CORBA achieves full-system blockage within as few as 20 dialogue turns for agent populations up to 100, including in random, cycle, chain, and star graph configurations (Zhou et al., 20 Feb 2025).
• Faster Stabilization: Compared to baseline attack strategies (e.g., broadcast looping prompts), CORBA’s recursive logic yields lower Peak Blocking Turn Number (PTN), indicating more swift and systematic takeover.
• Topology Independence: Experimentation confirms attack success is largely independent of graph structure, with only minor variations in propagation depth or timing.

Similar patterns are observed in wireless DoS attacks (where a handful of spoofed frames disables all AP clients (Chatzoglou et al., 2023)) and in payment networks (where <0.1% of high-centrality nodes can block all transactions (Weintraub et al., 2020)). This generalizes CORBA’s risk profile: even resource-efficient recursive-contagious attacks yield system-scale disruption.

6. Connections to Theory and Alternative Domains

The contagion-recursion model of CORBA connects with broader mathematical and systems-theoretic perspectives:

• Formal Threat Models: CORBA scenarios fit into LTL-specified safety/liveness frameworks, with attacker synthesis identifying minimal or always-succeeding strategies for recursive block triggering (Hippel et al., 2020).
• Resource Allocation Games: Defense against contagious recursive attacks is rigorously modeled as a resource allocation and reallocation NP-hard problem, mitigated in practice via bi-criteria approximation algorithms for optimal distribution—and re-distribution—of limited defensive power (Bai et al., 2020).
• Early Warning and Automated Response: Time-series modeling using (semi-)Markov chains allows high-accuracy, time-sensitive predictions of when (and where) recursive blocking events are likely; this enables tiered threat responses balancing operational continuity and risk (Abaid et al., 2021).
• Information Flow Taxonomy: Algebraic frameworks for information flows and covert channels reveal how CORBA-like blocking can spread by recursively injecting blockages at physical or logical communication bottlenecks (Hanspach et al., 2014).
• Multi-Agent Memory Poisoning: In LLM or multi-agent memetic attacks, methods such as ARCJ optimize both retrieval and replication toxicity, overcoming the “toxicity disappearing” phenomenon to maintain adversarial effect over multi-hop topologies—a mechanism conceptually analogous to CORBA’s recursive-contagious logic (Men et al., 21 Oct 2024).

The unifying principle is that systems with recursive computation, agent autonomy, and protocol-enforced cooperative barriers are susceptible to attacks that propagate and amplify local blocking through global system dynamics.

7. Future Directions and Open Problems

Current research has not systematically addressed practical, real-time detection and containment of CORBA in operational LLM-MASs or equivalent multi-agent deployments. Open challenges include:

• Designing defenses that simultaneously capture benign-appearing recursion and non-local contagion;
• Articulating formal guarantees around system liveness or guaranteed eventual “recovery” in the face of recursive-contagious attacks;
• Systematic evaluation of defense algorithms across both synthetic and real-world agent topologies;
• Exploring the trade-offs between system responsiveness, computational overhead, and risk of overblocking benign agents or users;
• Developing usable tools for formal specification/model checking and automated protocol synthesis that explicitly check for CORBA-like failure modes.

Theoretical investigations into the necessary and sufficient conditions for recursive blocking propagations—and their tight connection to system topology, resource constraints, and protocol semantics—remain active and crucial research threads.

---

In summary, Contagious Recursive Blocking Attacks (CORBA) represent an emergent and pervasive threat class in complex distributed and multi-agent systems. The defining features—topology-independent contagion, unbounded recursion, and difficult-to-detect symptomology—pose significant security and reliability risks. Effective mitigation demands technical innovations spanning protocol design, formal verification, runtime monitoring, and dynamic, topology-aware resource management.