Stealthy Resource Amplification via Tool Calling Chains in LLMs

Kaiyu Zhou et al. have published an arXiv paper describing a new stealthy, multi-turn economic Denial-of-Service (DoS) attack that exploits the agent-tool communication loop in LLM agents.

• Main announcement: The paper introduces a tool-layer, multi-turn economic DoS attack implemented on a MCP-compatible tool server that uses MCTS-optimized edits and a template-governed return policy to steer agents into prolonged, verbose tool-calling sequences while preserving final payloads and function signatures. The authors report concrete empirical impacts: task trajectories exceeding 60,000 tokens, cost inflation up to 658x, energy increases of 100–560x, and GPU KV cache occupancy rise from <1% to 35–74% with co-running throughput reduced by ~50%. The paper was submitted to arXiv on 16 Jan 2026.
• Background and details: The attack operates via text-only notices (leaving function signatures unchanged) to remain protocol-compatible and keep final answers correct so conventional validation fails; evaluated across six LLMs on the ToolBench and BFCL benchmarks. Implementation details highlight a Model Context Protocol (MCP)-compatible tool server and Monte Carlo Tree Search (MCTS) optimization of text-visible fields and return templates. No monetary figures or external contracts are reported.