This work investigates the relationship between adversarial robustness and loss landscape flatness, revealing a universal “flatness terror valley” phenomenon during iterative adversarial attacks: after label flipping, the loss surface unexpectedly flattens—yet the model remains highly vulnerable to perturbations—demonstrating that flatness alone is insufficient for robustness. To address this, the authors propose jointly bounding the third-order derivative of the loss and the global Lipschitz constant of the model, supported by rigorous theoretical analysis. Leveraging Hessian approximations under PGD-style attacks, deriving bounds on third-order derivatives, and conducting extensive empirical evaluation across diverse architectures (CNNs, Vision Transformers, LLMs) and datasets, they provide the first systematic characterization of this phenomenon. The results yield a novel geometric interpretation of robust training and establish verifiable, geometry-informed optimization criteria for improving adversarial robustness.

Flatness of the loss surface not only correlates positively with generalization but is also related to adversarial robustness, since perturbations of inputs relate non-linearly to perturbations of weights. In this paper, we empirically analyze the relation between adversarial examples and relative flatness with respect to the parameters of one layer. We observe a peculiar property of adversarial examples: during an iterative first-order white-box attack, the flatness of the loss surface measured around the adversarial example first becomes sharper until the label is flipped, but if we keep the attack running it runs into a flat uncanny valley where the label remains flipped. We find this phenomenon across various model architectures and datasets. Our results also extend to large language models (LLMs), but due to the discrete nature of the input space and comparatively weak attacks, the adversarial examples rarely reach a truly flat region. Most importantly, this phenomenon shows that flatness alone cannot explain adversarial robustness unless we can also guarantee the behavior of the function around the examples. We theoretically connect relative flatness to adversarial robustness by bounding the third derivative of the loss surface, underlining the need for flatness in combination with a low global Lipschitz constant for a robust model.