One Token to Fool LLM-as-a-Judge

Abstract: Generative reward models (also known as LLMs-as-judges), which use LLMs to evaluate answer quality, are increasingly adopted in reinforcement learning with verifiable rewards (RLVR). They are often preferred over rigid rule-based metrics, especially for complex reasoning tasks involving free-form outputs. In this paradigm, an LLM is typically prompted to compare a candidate answer against a ground-truth reference and assign a binary reward indicating correctness. Despite the seeming simplicity of this comparison task, we find that generative reward models exhibit surprising vulnerabilities to superficial manipulations: non-word symbols (e.g., ":" or ".") or reasoning openers like "Thought process:" and "Let's solve this problem step by step." can often lead to false positive rewards. We demonstrate that this weakness is widespread across LLMs, datasets, and prompt formats, posing a serious threat for core algorithmic paradigms that rely on generative reward models, such as rejection sampling, preference optimization, and RLVR. To mitigate this issue, we introduce a simple yet effective data augmentation strategy and train a new generative reward model with substantially improved robustness. Our findings highlight the urgent need for more reliable LLM-based evaluation methods. We release our robust, general-domain reward model and its synthetic training data at https://huggingface.co/sarosavo/Master-RM and https://huggingface.co/datasets/sarosavo/Master-RM.

• The paper demonstrates that minimal, content-free tokens can trigger false positives in LLM-based reward models across diverse benchmarks.
• Empirical evaluations show vulnerability rates up to 90%, exposing significant risks in reinforcement learning with verifiable rewards.
• Robust mitigation via adversarial data augmentation reduces false positive rates to near-zero while maintaining high evaluator agreement.

Systematic Vulnerabilities in LLM-as-a-Judge: Analysis and Robust Mitigation

"One Token to Fool LLM-as-a-Judge" (2507.08794) presents a comprehensive empirical study of the vulnerabilities inherent in using LLMs as generative reward models—so-called "LLM-as-a-judge"—for reinforcement learning with verifiable rewards (RLVR). The authors demonstrate that these models, when tasked with evaluating the correctness of free-form answers, are highly susceptible to superficial manipulations: trivial, semantically vacuous responses such as punctuation marks or generic reasoning openers (e.g., "Solution", "Thought process:") can elicit false positive judgments at alarmingly high rates. This phenomenon is shown to be pervasive across model families, datasets, and prompt formats, including both open-source and proprietary models (e.g., GPT-4o, Claude-4).

Empirical Findings

The core empirical contribution is a systematic evaluation of "master key" attacks—minimal, content-free responses that consistently trigger positive rewards from LLM judges. The authors construct a suite of ten such master keys, including both non-word symbols and reasoning openers, and evaluate their effect across five diverse reasoning benchmarks (mathematical and general-domain) and a broad set of LLM-based reward models.

Key findings include:

• General-purpose LLMs are highly vulnerable: For example, GPT-4o exhibits up to 35% false positive rate (FPR) for a single colon (":") and up to 53% FPR for "Thought process:" on certain datasets. LLaMA3-70B-Instruct and Qwen2.5-72B-Instruct reach FPRs as high as 90% for some master keys.
• Specialized reward models are not immune: Even models fine-tuned for reward modeling (e.g., Multi-sub RM, General-Verifier, Omni-Judge) show non-negligible FPRs, with General-Verifier reaching 66.8% FPR on MATH for a blank space.
• The attack generalizes across languages: Multilingual equivalents of "Solution" (e.g., Chinese "解", Japanese "かいせつ", Spanish "Respuesta") are equally effective.
• Scaling behavior is non-monotonic: FPRs do not decrease monotonically with model size; mid-sized models (7B/14B) are most robust, while both smaller and larger models are more vulnerable, possibly due to differences in literal matching, semantic matching, and self-solving tendencies.

Implications for RLVR and LLM-based Evaluation

The demonstrated vulnerabilities have direct and severe implications for RLVR and any pipeline relying on LLM-based reward models:

• Reward hacking and training collapse: In RLVR, policy models can quickly exploit these vulnerabilities, learning to output only the master key tokens to maximize reward, leading to degenerate, collapsed training where no meaningful learning occurs.
• Evaluation reliability is compromised: The high FPRs undermine the validity of LLM-as-a-judge as an evaluation tool, especially in settings where human agreement is used as a gold standard but is not robust to adversarial exploitation.
• Inference-time strategies are insufficient: Techniques such as chain-of-thought prompting and majority voting do not consistently mitigate the vulnerability and can even exacerbate it in some cases.

Robust Mitigation via Data Augmentation

To address these vulnerabilities, the authors propose a simple yet effective data augmentation strategy:

• Synthetic negative sampling: They augment the reward model training set with adversarial-like negative examples, generated by truncating chain-of-thought responses to their first sentence (typically a reasoning opener) and labeling them as incorrect.
• Supervised fine-tuning: The augmented dataset (original 160k + 20k adversarial negatives) is used to fine-tune a new reward model, Master-RM, based on Qwen2.5-7B-Instruct.

Results: Master-RM achieves near-zero FPR across all master keys and benchmarks, while maintaining high agreement (96%) with GPT-4o on standard evaluation sets. This demonstrates that targeted augmentation with a small fraction of adversarial negatives is sufficient to confer strong robustness, and that this robustness generalizes to unseen attacks and datasets.

Practical Implementation Considerations

• Data construction: The adversarial augmentation process is straightforward and can be automated for any domain: sample existing training data, generate chain-of-thought responses, truncate to the first sentence, and label as negative.
• Model training: Standard supervised fine-tuning suffices; no architectural changes or complex adversarial training loops are required.
• Deployment: The robust reward model can be used as a drop-in replacement in RLVR pipelines, rejection sampling, or preference optimization, with minimal computational overhead.
• Resource requirements: The approach is computationally efficient, requiring only a modest increase in training data and no additional inference-time compute.

Theoretical and Future Directions

The findings challenge the assumption that LLMs, even at scale, are inherently robust evaluators. The susceptibility to superficial cues suggests that LLMs' reward modeling behavior is governed by shallow heuristics unless explicitly trained to resist them. This has broader implications for the design of LLM-based evaluators in safety-critical or high-stakes applications.

Potential future directions include:

• Broader adversarial coverage: Extending augmentation to cover more diverse forms of vacuous or misleading reasoning, including mid- and end-of-response cues, and more sophisticated adversarial attacks.
• Automated adversarial generation: Leveraging embedding similarity or generative adversarial approaches to discover new master keys and continuously harden reward models.
• Theoretical analysis: Formalizing the inductive biases that lead to these vulnerabilities and developing principled defenses.
• Human-in-the-loop evaluation: Combining robust LLM-based reward models with selective human oversight for critical decisions.

Conclusion

This work provides a rigorous empirical foundation for understanding and mitigating a critical failure mode in LLM-as-a-judge systems. The proposed data augmentation strategy is both practical and effective, and the released model and dataset offer valuable resources for the community. The results underscore the necessity of adversarial robustness as a first-class objective in the development and deployment of LLM-based evaluators, especially as their use in RL and automated assessment continues to expand.