Improving Your Model Ranking on Chatbot Arena by Vote Rigging

Thank you for your strongly supportive review and insightful suggestions. Below we respond to the comments in Weaknesses (W), and Questions (Q) and will fix the typos in the paper revision.

W1: About the claim in the experiments validated "showing that omnipresent rigging strategies can improve model rankings by rigging only hundreds of new votes".

In our demonstration (Figure 1), our omnipresent rigging strategy requires around 900 rigged votes to achieve a one-rank promotion for the Phi-3-small-8k-Instruct model from its initial ranking position. Following your suggestion, we will revise the wording in the paper to clarify this claim and better reflect the experimental evidence.

Q1: Does this method work if the leaderboard simply adds a delay before revealing to the attacker how their voting impacted results? How would it impact the Omni-On and Omni-BT methods?

Thank you for the insightful question. In fact, our experiments in $\\textrm{\\color{blue}Section 5.3}$ (page 5), which investigate rigging with concurrent user voting, are designed to reflect the exact scenario you described. In this setting, the attacker does not have access to the real-time impact of their votes due to interference from other users’ concurrent voting (denoted as $\\mathbb{V}\_{O}$ as in Lines 100-103), which effectively simulates a delay in leaderboard updates and creating what we refer to as a perturbed leaderboard.

The more concurrent votes $\\mathbb{V}\_{O}$ there are, the greater the perturbation to the leaderboard, which is analogous to introducing a longer delay before the attacker can observe the results of their rigging. Despite this, our results in $\\textrm{\\color{blue}Table 3}$ (page 6) show that both our omnipresent strategies Omni-On and Omni-BT maintain robust and stable rigging performance, even when up to 100,000 concurrent votes are introduced.

Other Comments Or Suggestions: "Chtbot Arena" and "Copilot Areana"

Thank you for pointing out the typos. We will correct them in the revised version of the paper.

Thank you for your constructive review and for recognizing our work. Below, we respond to your comments in Concerns (C), Weaknesses (W), and Questions (Q).

C1: No supplementary materials.

We would like to clarify that we have provided Supplementary Material and the folder named rigging_code contains the code.

C2: Lack of discussions of LLM-based text classification.

Thanks for the helpful suggestion. We have included related works on LLM-based text classification in the paragraph Discussions on strategies to identify LLM through model responses (page 15). In the final revision, we will move this discussion to the main paper and expand it in detail.

W1 & Q2: Can rigging strategies generalize to other voting platforms?

Our strategy generalizes effectively to other voting platforms. To verify this, we simulate on WebDev Arena and Copilot Arena. Since they do not provide historical voting data, we initialize the Bradley-Terry model’s coefficients with public scores and update the leaderboard with newly submitted votes. Results in Table B show consistent improvements by rigging 500 votes, validating the effectiveness.

Table B: Rigging simulation on other voting-based leaderboards. The results are absolute ranking (ranking increase).

W2: The defense methods are somewhat rudimentary.

We acknowledge that current defenses are relatively straightforward; however, results in $\\textrm{\\color{blue}Figure 4}$ (page 7) show strong effectiveness against several baselines, including T-Abstain, T-Tie, T-Random, and even the vanilla Omni-BT.

While devising advanced defenses against Omni-On and improved Omni-BT is indeed challenging and remains an open problem, we systematically highlight rigging vulnerabilities in Chatbot Arena—a platform widely used and trusted by the community. By exposing these flaws, our paper can spark broader discussion and inspire future research to develop deeper and more robust defenses.

W3: Efficiency of classifier training if new models appear frequently.

Our RoBERTa-based classifier is lightweight and efficient to train. As shown in $\\textrm{\\color{blue}Table 7}$ (page 8), training corpus generated using 2,000 prompts (or even fewer) per model is sufficient for high accuracy on unseen prompts and the training cost is around 4 GPU hours on a single A100 GPU.

To further address the scalability concern, we propose a hierarchical classification design. Specifically, we can construct multiple sub-classifiers, each distinguishing among $N$ known models and an additional class labeled as other models. This allows us to incrementally accommodate new models without retraining the entire system. The total number of classifiers needed to cover $M$ models is $\\lceil M/N \\rceil$.

We also appreciate your insightful suggestions regarding more online approaches. Techniques such as class-incremental learning [1] can indeed sequentially update the classifier using data from newly added models while mitigating the risk of catastrophic forgetting.

W4: The ethical concerns of releasing rigging strategies.

We understand and appreciate your concerns regarding the ethical implications. However, our work is positioned as a red-teaming study, with the primary goal of exposing critical vulnerabilities in widely used LLM leaderboards. As noted in the Remark paragraph (Lines 110–111), we proactively informed the authors of Chatbot Arena about the vulnerability prior to submission. By bringing these issues to light, we aim to raise awareness within the community and encourage the development of stronger defense to safeguard future evaluation platforms against such manipulation.

Q1: How feasible is it to maintain undetectable rigging behavior?

Rigging behavior is indeed difficult to detect, particularly under our omnipresent rigging which improves the ranking of a target model $m\_t$ by manipulating battles that do not involve $m\_t$ directly. As a result, detection is challenging for defenders focusing on the voting patterns of $m\_t$ alone. For instance, attackers can avoid detection by behaving normally in battles involving $m\_t$.

Moreover, modern LLMs exhibit strong generative capabilities and often provide responses that differ subtly in style rather than in correctness. This makes it difficult for users to definitively judge which response is better. Consequently, voting outcomes can vary significantly depending on user preferences. Without a ground-truth ranking for reference, it is difficult to distinguish between a ranking increase caused by vote rigging and one driven by genuine user preference.

Reference:
[1] Class-Incremental Learning: A Survey

Thank you for your very positive and supportive review. Below we respond to the comments in Weaknesses (W).

W1: Absence of actual, live experiments on the platform.

We acknowledge that we did not conduct live experiments on the platform, primarily due to ethical considerations. Instead, we opted for practical simulations, which offer more reproducible results and can better support future research in further investigating rigging vulnerabilities. In fact, as mentioned in the Remark paragraph (Lines 110–111), we proactively reached out to the authors of Chatbot Arena in September 2024 to share our preliminary findings on rigging vulnerabilities. They also recommended conducting simulations based on historical data. Below, we provide detailed explanations:

• Rigging the actual platform raises ethical concerns: As one of the most widely used LLM benchmarks nowadays, submitting rigged votes to Chatbot Arena would compromise the platform’s integrity and unfairly impact model developers whose models may be pushed down in the rankings due to manipulated results. Our objective is to expose potential vulnerabilities in Chatbot Arena and encourage the community to develop robust defenses against such attacks. To this end, we provide practical simulations that closely mirror the real platform, ensuring reproducibility without interfering with the actual leaderboard or affecting real voting data.

• Vote rigging can be conducted in practice: While real-world platforms may employ standard defenses such as Cloudflare and CAPTCHA, practical attackers can leverage well-established techniques, such as IP rotation, Slowloris attacks, and CAPTCHA farms, within rigging scripts to bypass many of the traditional network- and application-level protections. These capabilities effectively narrow the gap between our simulated experiments and real-world vote rigging, indicating that our methods are applicable in practical scenarios.

Thank you for your positive review for recognizing our paper and invaluable suggestions. Below we respond to the comments in Weaknesses (W).

W1: (Essential References Not Discussed) Missing literature review of social voting and its vulnerabilities.

We appreciate your valuable suggestions, which inspired us to explore earlier works on social voting systems and their vulnerabilities. We identify several relevant studies, for example, [1] analyzes the vulnerability of preference aggregation to strategic manipulation; [2, 3, 4] systematically introduce various voting systems and their susceptibility to manipulation; [5] examines vulnerabilities in political elections; [6] discusses the threat of group manipulation; and [7, 8] propose defense mechanisms to enhance the trustworthiness of voting systems. Following your suggestion, we will incorporate detailed discussions of these works in the paper revision.

W2 (a): Concerns on method novelty; whether they are known in previous papers.

Following your valuable suggestions in $\\textrm{\\color{green}W1}$, we conduct a detailed survey on social voting systems and their vulnerabilities. While the referenced papers focus on various forms of strategic manipulation, our work introduces several unique challenges in the problem setting and methodological innovations. These are discussed in detail in $\\textrm{\\color{blue}Section 3}$ (page 3), and we briefly recap them as follows:

• The de-anonymizing function $\\mathcal{A}$: Unlike previous manipulation settings [2], where voting candidates are visible to voters, the sampled models in our case are initially anonymous before any rigging occurs. To address this challenge, we design and implement several effective model identification strategies, denoted as $\\mathcal{A}$.

• Omnipresent manipulation function $\\mathcal{M}_{\\textrm{omni}}$: In addition to improving the model ranking, we also emphasize rigging efficiency in practice. To this end, we design two general-purpose rigging objectives ($\\mathcal{R^{\\textrm{BT}}}$ and $\\mathcal{R^{\\textrm{On}}}$), which significantly outperform baselines and two most relevant prior works in terms of efficiency.

W2 (b): Concerns on whether the rigging methods are relevant to other voting and scoring models.

Our rigging methods can be applied to other voting/scoring models, such as those using online Elo scores. To demonstrate this, we conduct simulations on a leaderboard updated with online Elo scores. Results in Table A show that both methods (Omni-BT and Omni-On) effectively improve the target model $m\_t$’s ranking by rigging 1,000 new votes. Since the Chatbot Arena adopts the Bradley-Terry model for scoring, we primarily report results based on this model in the main paper to better align with the practical setting.

Table A: Rigging simulation on the leaderboard with online Elo scores. The results are absolute ranking (ranking increase).

W3: Whether rigging strategies are applicable under practical defenses.

Our method is applicable under practical defenses. First, since our rigging mechanism operates by strategically selecting voting options and submitting votes just like normal users, network-level defenses (e.g., firewalls and DDoS mitigation) and application-level defenses (e.g., bot detection via Cloudflare or CAPTCHA) cannot directly detect or distinguish the rigged votes.

Additionally, practical attackers can incorporate techniques such as IP rotation, Slowloris attacks, and CAPTCHA farms into their rigging scripts to bypass many of Cloudflare’s and CAPTCHA’s traditional network- and application-level defenses. This effectively bridges the gap between our experimental simulations and real-world vote rigging, indicating the practical applicability of rigging methods.

More importantly, we chose not to attack the actual platform due to ethical considerations, as we do not wish to contaminate Chatbot Arena’s voting data. Instead, our simulations offer reproducible results that serve academic purposes and can support future efforts to design more robust and trustworthy voting-based LLM leaderboards.

References:
[1] Manipulation of Voting Schemes: a General Result
[2] Voting Systems and Strategic Manipulation: an Experimental Study
[3] The vulnerability of point-voting schemes to preference variation and strategic manipulation
[4] Methods of voting system and manipulation of voting
[5] The Manipulation of Voting Systems
[6] On the safety of group manipulation
[7] Using Information Theory to Improve the Robustness of Trust Systems
[8] Voting Systems with Trust Mechanisms in Cyberspace: Vulnerabilities and Defenses