This work addresses the robustness overestimation of Multi-Resolution Self-Ensemble (MRE) defenses under adversarial evaluation. We identify severe constraint violations in recent adaptive attacks—e.g., L∞ perturbations reaching 160/255, vastly exceeding the standard 8/255 bound—and show that MRE retains substantial robustness even after correction. We propose a rigorous attack reproduction and perceptual consistency analysis framework under strict norm constraints. Our evaluation confirms that MRE exhibits non-trivial robustness against compliant attacks, and its optimal perturbations frequently align closely with human visual perception. This challenges the conventional paradigm that equates large perturbations with “strong” attacks, underscoring constraint compliance as a prerequisite for valid robustness assessment. Key contributions include: (i) exposing how constraint violations inflate estimated defense robustness; (ii) establishing perceptually aligned perturbations as a more principled metric for robustness; and (iii) providing a methodological benchmark for trustworthy adversarial evaluation.

This note documents an implementation issue in recent adaptive attacks (Zhang et al. [2024]) against the multi-resolution self-ensemble defense (Fort and Lakshminarayanan [2024]). The implementation allowed adversarial perturbations to exceed the standard $L_infty = 8/255$ bound by up to a factor of 20$ imes$, reaching magnitudes of up to $L_infty = 160/255$. When attacks are properly constrained within the intended bounds, the defense maintains non-trivial robustness. Beyond highlighting the importance of careful validation in adversarial machine learning research, our analysis reveals an intriguing finding: properly bounded adaptive attacks against strong multi-resolution self-ensembles often align with human perception, suggesting the need to reconsider how we measure adversarial robustness.