Persona Attack is a security preprint proposing a four-message jailbreak framed as response simulation. It does not assess personality traits or establish a persistent psychological persona. The target is asked to predict another LLM's response, organize possible outputs into four failure/success categories, provide complete unmasked content, and apply that scheme to a harmful query. The paper is arXiv:2606.00150v1, submitted 29 May 2026 under CC BY 4.0. The audit visually inspected all twenty-one pages plus complete text and TeX. Once concatenates all four instructions into one input; Sequential 1 sends them across four turns. Manual memory prepends prior user and assistant messages to each new query, while state-based memory relies on the Responses API or LangChain to carry history. Main testbeds are GPT-4o via Responses API and Llama-3.2-3B-Instruct via LangChain. Appendices identify gpt-4o-2024-11-20 but omit the Llama revision, decoding settings, hardware, dates, retries, and LangChain memory class. The main set contains sixty harmful questions in six ten-item themes. Provenance conflicts: the method says they were selected from AdvBench, while the appendix says forty come from eight scenarios in another work and some AdvBench items were added. The exact list is unavailable. ASR counts any response without negative refusal. FAR means Fully Attack Success Rate, not false-acceptance rate, and additionally requires complete instruction following and detailed harmful content. On sixty GPT-4o state-based prompts, Table 1 reports Once at 75.0% ASR and 63.3% FAR versus Sequential 1 at 95.0% (57/60) and 88.3% (53/60). GPT-4o Sequential is 88.33/83.33 under manual history and 95/88.33 state-based. For Llama, Once is 20% ASR in both modes; Sequential falls to 5% manual and rises to 35% state-based. A 520-prompt GPT-4o AdvBench appendix extracts the fourth candidate answer and declares failure only when rejection phrases are present, yielding 440/520 or 84.61%. It calls this FAR even though complete detailed compliance is not checked. The number is a non-refusal heuristic resembling ASR, not validated FAR. The central behavioral effect is relevant but the mechanism is over-attributed. Sequential differs from Once through role boundaries, three intermediate model outputs, greater realized context, and provider scaffolding, not memory alone. Manual and state-based modes serialize history differently. Responses API and LangChain supply conversational context; the study does not observe an internal memory state or safety weights. It supports that multi-turn structure and history representation change outputs, not that internal memory reweights or disables alignment. Combination selection also biases the maximum. The authors explicitly test only configurations judged likely to yield high ASR and highlight the best on the same sixty prompts, with no development/test split or held-out validation. Each rate uses one generation per question, with no repeated runs, intervals, or paired tests. Manual scoring does not report raters, blinding, rubric application, agreement, or adjudication. ASR can count a partial, irrelevant, or meta-level answer if it lacks refusal. The attack prompt itself asks the model to generate four labeled candidate cases, blurring generated attack output and evaluation label. The 520-item rejection phrase filter has no human validation or error analysis. Internal contradictions remain: Table 1 gives Once as 75.0% (45/60), while Appendix Table 4 gives 44/60=73.3% for the same GPT-4o composition. Main results name Additional 1 and Additional 2, but the appendix defines only Additional 3-6 and Sequential 2. Comparisons against GCG, Jailbroken, and Parameters omit prompts, tuning, budgets, and per-item outcomes; GCG cannot be optimized on black-box GPT-4o. Zero results for two baselines do not prove superiority over comparably tuned modern attacks. Real-world trials use ChatGPT-4o in the desktop app and Claude 3.7 Sonnet and Grok 3 Beta through Perplexity Pro. Perplexity introduces routing, system prompts, moderation, and mutable aliases, so these are not first-party service tests. Trials are manual and unversioned. The ChatGPT share still returned HTTP 200; both Perplexity links returned 403. The attack was not reproduced. The promised `CAU-CPSS/SLM_sec` repository returns 404 and no replacement exists in the organization. The arXiv package contains manuscript and figures but no datasets, outputs, labels, API code, or notebooks, so no result can be recomputed. The paper includes a content warning and watermarks examples, yet publishes actionable attack prompts and harmful-output links without a responsible-disclosure timeline, provider coordination, abuse analysis, access control, or tested defense. The defensible contribution is that the same simulation strategy produced more non-refusals and detailed harmful responses when distributed across turns with transcript retention in specific model snapshots, and that context-delivery implementation matters. It does not establish a persistent persona, an internal memory mechanism, mechanistic disabling of alignment, 84.61% full harmful compliance, generalization to current services, or reproducible superiority over modern baselines.
Research question
Does a simulation jailbreak increase when its instructions are injected progressively over several turns, and does the outcome change depending on how Responses API or LangChain retain the history?