TotalFreedom has had a long history of exploits being used both maliciously and harmlessly.

2014

Invalid Flower

Invalid Flower was an exploit discovered in early 2014 for Minecraft 1.7.x that crashed players who attempted to render a nonexistent variant of a flower. This exploit was maliciously used to crash players' clients and prevent them from joining the server.

2022

Infinity Cart

The Infinity Cart exploit was a rather potent exploit that was used to attack TF in early 2022 that used a modified Minecart With Chest and an invalid loot table that exceeded the vanilla 256 character limit, making it immune to any command to remove it because the game cannot process the data. Any interaction with it would cause the server logs to spit errors with the chance of flooding them to the point it causes the server to cripple. The modified carts cannot be broken, opened or otherwise modified by the player, nor can they be destroyed by any commands designed to kill entities such as /kill or /rd. Putting a bunch of them on the ground would often break the chunk they occupied, putting the server logs in gridlock and causing the server to crash every time the chunk is loaded as well - making it a crash loop if a player happens to be stuck there. In addition to being made to crash the server, the minecart is given a long display name so it serves double-duty as a 'lag entity' so it freezes anyone who's near it by taking advantage of their long display names, trapping them and keeping the chunk it is in loaded. This exploit would, after causing dozens of crashes be successfully combated by running /data modify entity @e[type=minecraft:chest_minecart,limit=1] LootTable set value "air"


Worldcom

Worldcom was an exploit discovered in August 2022 that allowed players to obtain the player data of any entity in the same world as them. The exploit worked by abusing the lack of a distance check in the "Query Entity Tag" packet.

Video created a fork of EpsilonBot to use the exploit to collect consenting player's in-game coordinates every few seconds and store them in a PostgreSQL database, with the ultimate goal being to find builds to independently archive.

New Columbus Grief Exploit

The New Columbus Grief Exploit is a modified version of the classic Columbus Grief exploit which involves a player flying at a high speed to load as many chunks as possible which puts stress on the server, lowering the TPS. This version is more discrete as players boost their speed primarily through a hacked client which makes it harder to detect whereas the classic version requires /speed 10, this version can be done with lower speeds because a player uses their hacked client that has a "timer" function (which allows for higher speeds) to add the required boost of speed to do the exploit. As with the classic Columbus Griefing exploit, you can detect its usage by looking for [PLAYER] moved too quickly! errors in the server console.

Unknown

Particle Crash Exploit

The Particle Crash Exploit was an exploit that was discovered at an unknown date but used throughout mid-2022 extensively, mainly from May to June 2022 as a reasonably effective way to combat the Akefu Raids. It worked by simply generating a large amount of particles via the /particle command which would cause anyone's client which was targeted by the command to instantly freeze unless they turned particles off or had them blocked. This exploit was used extensively by Alco_Rs11 with often hilarious results while combating the raids.