TotalFreedom has had a long history of exploits being used both maliciously and harmlessly.

2014

Invalid Flower

Invalid Flower was an exploit discovered in early 2014 for Minecraft 1.7.x that crashed players who attempted to render a nonexistent variant of a flower. This exploit was maliciously used to crash players' clients and prevent them from joining the server.

2020

Moving_Piston

2021

Enderman Torture Crash

Discovered in November 2021, the Enderman Torture exploit requires an enderman to be hit with a stacked instant damage potion. It simply abuses the enderman's teleportation algorithm when damaged to work. Basically, when an enderman is hit with the potion, it teleports. For example, a modified splash potion with about 1000 entries of instant damage would cause the enderman to teleport rapidly 1000 times, thus putting strain on the server. Repeating this with several endermen can enable the perpetrator to successfully crash the server. The exploit was often hard to detect because no obscure errors would be printed in the log. The easiest clue to detect the exploit was to look for someone spawning endermen right before the server crashed.

2022

Infinity Cart

Infinity Cart was an exploit discovered by the Moles in March 2022 that abused a lack of validation in entity loot tables which caused affected servers to fail to remove entities with the exploit applied. When a server would attempt to remove the entities (whether it be by command or by the entity being in the void), the invalid loot table would cause an exception to be thrown and would either abort whatever was trying to remove it or outright crash the server. When the entity was put in the void at a world spawn, the server would effectively be sent into a crash loop because the Minecart would be loaded in as soon as it finished starting up.

This exploit in particular prompted the development team to begin work on a fork of the Paper server software called Scissors, which became the foundation for exploit patches as the year progressed and more exploits were patched.

Worldcom

Worldcom was an exploit discovered by videogamesm12 in August 2022 which allowed players to obtain the player data of any entity in the same world as them. The exploit worked by abusing the lack of a distance check in the "Query Entity Tag" packet.

Video created a fork of EpsilonBot to use the exploit to collect consenting player's in-game coordinates every few seconds and store them in a PostgreSQL database, with the ultimate goal being to find builds to independently archive them.

New Columbus Grief Exploit

The New Columbus Grief Exploit is a modified version of the classic Columbus Grief exploit which involves a player flying at a high speed to load as many chunks as possible which puts stress on the server, lowering the TPS. This version is more discrete as players boost their speed primarily through a hacked client which makes it harder to detect whereas the classic version requires /speed 10, this version can be done with lower speeds because a player uses their hacked client that has a "timer" function (which allows for higher speeds) to add the required boost of speed to do the exploit. As with the classic Columbus Griefing exploit, you can detect its usage by looking for [PLAYER] moved too quickly! errors in the server console.

Unknown

Particle Crash Exploit

The Particle Crash Exploit was an exploit that was discovered at an unknown date but used throughout mid-2022 extensively, mainly from May to June 2022 as a reasonably effective way to combat the Akefu Raids. It worked by simply generating a large amount of particles via the /particle command which would cause anyone's client which was targeted by the command to instantly freeze unless they turned particles off or had them blocked. This exploit was used extensively by Alco_Rs11 with often hilarious results while combating the raids.

Classic Columbus Grief

Columbus Griefing was an exploit in which a player would set their /speed to the max and fly as fast as possible in an attempt to lag the server by loading as many chunks as possible, putting strain on the server. A newer version was 'discovered' in 2022 that involved using a hacked client's timer function to avoid raising suspicion with /speed.