Abstract: Chatbot Arena is an open platform for evaluating LLMs by pairwise battles, in which users vote for their preferred response from two randomly sampled anonymous models. While Chatbot Arena is widely regarded as a reliable LLM ranking leaderboard, we show that crowdsourced voting can be *rigged* to improve (or decrease) the ranking of a target model $m\_{t}$. We first introduce a straightforward **target-only rigging** strategy that focuses on new battles involving $m\_{t}$, identifying it via watermarking or a binary classifier, and exclusively voting for $m\_{t}$ wins. However, this strategy is practically inefficient because there are over $190$ models on Chatbot Arena and on average only about 1% of new battles will involve $m\_{t}$. To overcome this, we propose an **omnipresent rigging** strategy, exploiting the Elo rating mechanism of Chatbot Arena that any new vote on a battle can influence the ranking of the target model $m\_{t}$, even if $m\_{t}$ is not directly involved in the battle. We conduct experiments on around *1.7 million* historical votes from the Chatbot Arena Notebook, showing that omnipresent rigging strategy can improve model rankings by rigging only *hundreds of* new votes. While we have evaluated several defense mechanisms, our findings highlight the importance of continued efforts to prevent vote rigging. [**Code**](https://github.com/sail-sg/Rigging-ChatbotArena) is publicly available to reproduce all experiments.

Lay Summary:

Chatbot Arena is a popular leaderboard for large models, where users vote for their preferred response from two randomly sampled anonymous models. With millions of crowdsourced votes, Chatbot Arena is often regarded as the community's definitive leaderboard. However, is Chatbot Arena truly reliable?We systematically investigate this question, and our findings highlight that Chatbot Arena can be manipulated even with hundreds of rigged votes. We propose two rigging strategies: the target-only strategy and the omnipresent strategy, both aimed at improving our target model’s ranking. Notably, our omnipresent rigging can effectively use any new votes for ranking promotion, even if the target model is not directly sampled for voting. This increases the efficiency of our vote rigging while also making it more difficult to detect against various defense mechanisms. To support future research on this problem, we provide a general-purpose rigging framework and have open-sourced all our implementations. We hope our paper will spark broader discussions and encourage the community to focus on developing more robust defense mechanisms to mitigate the rigging vulnerabilities.