Saved in:
Bibliographic Details
Main Authors: Blagoev, Nikolay, Ersoy, Oğuzhan, Chen, Lydia Yiyu
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2511.09780
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913028302176256
author Blagoev, Nikolay
Ersoy, Oğuzhan
Chen, Lydia Yiyu
author_facet Blagoev, Nikolay
Ersoy, Oğuzhan
Chen, Lydia Yiyu
contents Group Relative Policy Optimization (GRPO) has demonstrated wide adoption in the post-training of Large Language Models (LLMs). In GRPO, prompts are answered by the model and preferred behaviour is learnt via reinforcement learning. Owing to the small communication volume, GRPO is inherently suitable for decentralised training as the prompts can be concurrently answered by multiple nodes and these completions are exchanged in the form of strings. In this work, we explore the robustness of decentralised GRPO by presenting the first adversarial attacks and countermeasures. We present a diverse set of attacks where malicious nodes poison benign models by sharing their poisoned completions. We demonstrate these attacks on math and coding tasks and show that an adversary can achieve attack success rates of up to 100% in as few as 50 iterations. Moreover, to mitigate the attacks, we propose two defense mechanisms that check logit probabilities of completions or utilize an LLM judge to filter completions. The defenses prevent all but the DoS attack that causes unnecessarily lengthy but conceptually correct completions. The code of both attacks and defenses can be found at: https://github.com/gensyn-ai/HTTT.
format Preprint
id arxiv_https___arxiv_org_abs_2511_09780
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Hail to the Thief: Exploring Attacks and Defenses in Decentralised GRPO
Blagoev, Nikolay
Ersoy, Oğuzhan
Chen, Lydia Yiyu
Machine Learning
Group Relative Policy Optimization (GRPO) has demonstrated wide adoption in the post-training of Large Language Models (LLMs). In GRPO, prompts are answered by the model and preferred behaviour is learnt via reinforcement learning. Owing to the small communication volume, GRPO is inherently suitable for decentralised training as the prompts can be concurrently answered by multiple nodes and these completions are exchanged in the form of strings. In this work, we explore the robustness of decentralised GRPO by presenting the first adversarial attacks and countermeasures. We present a diverse set of attacks where malicious nodes poison benign models by sharing their poisoned completions. We demonstrate these attacks on math and coding tasks and show that an adversary can achieve attack success rates of up to 100% in as few as 50 iterations. Moreover, to mitigate the attacks, we propose two defense mechanisms that check logit probabilities of completions or utilize an LLM judge to filter completions. The defenses prevent all but the DoS attack that causes unnecessarily lengthy but conceptually correct completions. The code of both attacks and defenses can be found at: https://github.com/gensyn-ai/HTTT.
title Hail to the Thief: Exploring Attacks and Defenses in Decentralised GRPO
topic Machine Learning
url https://arxiv.org/abs/2511.09780