Exploiting Reset Operations in Cloud-based Quantum Computers to Run Quantum Circuits for Free

This work presents the first thorough exploration of how reset operations in cloud-based quantum computers could be exploited to run quantum circuits for free. This forms a new type of attack on the economics of cloud-based quantum computers. All major quantum computing companies today offer access to their hardware through some type of cloud-based service. Due to the noisy nature of quantum computers, a quantum circuit is run many times to collect the output statistics, and each run is called a shot. The fees users pay for access to the machines typically depend on the number of these shots of a quantum circuit that are executed. Per-shot pricing is a clean and straightforward approach as users are charged a small fee for each shot of their circuit. This work demonstrates that per-shot pricing can be exploited to get circuits to run for free when users abuse recently implemented mid-circuit qubit measurement and reset operations. Through evaluation on real, cloud-based quantum computers this work shows how multiple circuits can be executed together within a shot, by separating each user circuit by set of reset operations and submitting all the circuits, and reset operations, as one larger circuit. As a result, the user is charged per-shot pricing, even though inside each shot are multiple circuits. Total per-shot cost to run certain circuits could be reduced by up to $900$% using methods proposed in this work, leading to significant financial losses to quantum computing companies. To address this novel finding, this work proposes a clear approach for how users should be charged for their execution, while maintaining the flexibility and usability of the mid-circuit measurement and reset~operations.

💡 Research Summary

The paper investigates a novel economic attack on cloud‑based quantum computing services that exploit the recently introduced mid‑circuit measurement and active‑reset capabilities. Modern quantum‑cloud providers (IBM Quantum, AWS Braket, Microsoft Azure, Rigetti, IonQ, etc.) typically charge users using a “per‑task + per‑shot” model: a fixed fee per submitted job (covering compilation, queuing, and scheduling) plus a variable fee proportional to the number of shots (repetitions of the same circuit) executed on the hardware. Because noisy intermediate‑scale quantum (NISQ) devices require thousands of shots to obtain statistically meaningful results, the per‑shot component dominates the total cost.

Active reset works by measuring a qubit during circuit execution, then conditionally applying an X gate if the measurement outcome is |1⟩, thereby returning the qubit to the ground state |0⟩ within microseconds. This feature enables qubit reuse in algorithms such as quantum error correction, teleportation, and variational methods. The authors observe that, when a user inserts a full‑circuit reset (measure all qubits, store results in classical registers, then reset them) after each logical sub‑circuit, the hardware effectively executes multiple independent circuits sequentially within a single shot. The cloud service still counts this as one shot, charging only the per‑shot fee, while the user obtains the results of N distinct circuits.

The attack model assumes only regular user‑level access: the attacker can compile circuits locally, concatenate them with reset blocks, and submit the combined circuit as a single job. No special privileges or modifications to the provider’s software stack are required; standard frameworks such as Qiskit already support such concatenation. The authors further assume that providers do not currently monitor for abnormal patterns of repeated full‑circuit resets.

To validate the attack, the authors executed the concatenated‑circuit technique on several real quantum back‑ends (IBM’s superconducting devices, AWS Braket’s IonQ and Rigetti QPUs, Azure’s Quantinuum and IonQ offerings). They measured the monetary cost under the provider’s published pricing tables. For example, AWS Braket charges a per‑task fee of $0.30 and a per‑shot fee ranging from $0.0009 to $0.08 depending on the QPU. By embedding ten sub‑circuits into a single shot, the attacker avoided nine per‑task fees and paid only one per‑shot fee for ten logical executions. The resulting cost reduction reached up to 900 % compared with the naïve approach of submitting each circuit separately. The effect is most pronounced when the per‑task component dominates the pricing model; providers that use a pure per‑gate model (e.g., IonQ and Quantinuum via Azure) are naturally immune because each reset gate incurs a charge.

The paper categorises three prevalent billing models:

1. Per‑Task + Per‑Shot – vulnerable; the attack eliminates most per‑task fees.
2. Time‑Based (implicit per‑task + per‑shot) – similarly vulnerable because execution time scales with the number of shots, not with the number of logical circuits inside a shot.
3. Per‑Gate – not vulnerable to this specific attack, as each reset and measurement gate is billed individually.

Given the identified vulnerability, the authors propose several mitigation strategies:

• Billing Redesign – charge per logical circuit rather than per shot, or introduce a separate fee for each reset/measurement block.
• Usage Monitoring – implement analytics that flag jobs containing repeated full‑circuit resets, especially when the number of resets approaches the number of logical sub‑circuits.
• Reset Rate Limiting – impose limits on how frequently a user may invoke a full reset within a single job, or require explicit justification for extensive reset usage.
• Hybrid Pricing – combine per‑gate fees for reset/measurement operations with a modest per‑shot fee, ensuring that any attempt to “pack” many circuits into one shot incurs proportional cost.

In conclusion, the work reveals a previously unexamined economic attack surface in quantum‑cloud services, demonstrates its practicality on real hardware, and quantifies the potential financial impact (up to a nine‑fold cost reduction). By highlighting the interplay between hardware capabilities (mid‑circuit measurement and active reset) and provider billing policies, the paper urges cloud quantum providers to revisit their pricing and monitoring frameworks to prevent abuse while preserving the flexibility that makes mid‑circuit operations valuable for legitimate users.