TotalFreedom has had a long history of exploits being used both maliciously and harmlessly.

Heatmap of player activity gathered from collected coordinates using Worldcom, a coordinate exploit that was patched in July 2023 but continued to be used on the server for an entire month afterwards

Unknown

Some exploits were discovered so long ago that knowledge of when they were initially discovered or first used are widely unknown.

Columbus Griefing

Columbus Griefing was an exploit in which a player would fly insanely fast (whether it be by using the /speed command or by using a combination of hacks) to force the server to load or generate dozens of chunks at a time, with the goal being to lag or even crash the server. The term was coined in October 2014 by TheMinecraft in a thread on the ProBoards forum which explained the exploit.

2014

Invalid Flower

Invalid Flower was an exploit discovered in early 2014 for Minecraft 1.7.x that crashed players who attempted to render a nonexistent variant of a flower. This exploit was maliciously used to crash players' clients and prevent them from joining the server.

2016

Too Many Particles

Too Many Particles (also known internally as simply Particle Crash Exploit) was an exploit discovered in April 2016 that used the /particle command to effectively freeze players' clients completely. Upon discovery, a suggestion was created to block the command for non-operators and was approved in August 2016.

The exploit resurfaced in early 2022 as an administrative tool to help combat the then-ongoing Akefu Raids by completely freezing the attackers' clients. This was done specifically to waste the attackers' time and frustrate them, as they would have to constantly close their game with the Task Manager and restart it manually. For the most part, this was hugely successful and the attackers were becoming noticeably frustrated in both the messages they were spamming and in the group chats where they were coordinating the attacks.

2020

Moving Piston

Discovered in November 2020, the Moving Piston exploit is an exploit affecting only servers running Spigot and was subsequently abused in the subsequent months by taking advantage of a bug in Spigot that is caused when a tile entity (e.g. a chest) is overwritten with a moving_piston block by replacing the tile entity with WorldEdit or similar plugins that replace blocks. The server then crashes when it tries to fix the overwritten tile entity. It affected Minecraft 1.16.4 and eventually was patched.

2021

Enderman Torture Crash

Discovered in November 2021, the Enderman Torture Exploit requires an enderman to be hit with a stacked instant damage potion. It simply abuses the enderman's teleportation algorithm when damaged to work. Basically, when an enderman is hit with the potion, it teleports. For example, a modified splash potion with about 1000 entries of instant damage would cause the enderman to teleport rapidly 1000 times, thus putting strain on the server. Repeating this with several endermen can enable the perpetrator to successfully crash the server. The exploit was often hard to detect because no obscure errors would be printed in the log. The easiest clue to detect the exploit was to look for someone spawning endermen right before the server crashed.

2022

Infinity Cart

Infinity Cart was an exploit discovered in March 2022 that abused a lack of validation in entity loot tables which caused affected servers to fail to remove entities with the exploit applied. When a server would attempt to remove the entities (whether it be by command or by the entity being in the void), the invalid loot table would cause an exception to be thrown and would either abort whatever was trying to remove it or outright crash the server. When the entity was put in the void at a world spawn, the server would effectively be sent into a crash loop because the Minecart would be loaded in as soon as it finished starting up. This exploit was initially patched by Telesphoreo in a private fork of Paper, which was later superseded by the Scissors project.

It was what prompted the development team to begin work on Scissors which became the foundation for exploit patches as the year progressed and more exploits were discovered.

SilentTP

SilentTP, colloquially referred to as the first Nocom exploit, or just Nocom, was a text component that allowed for querying of a target player's position tag when resolved, even if they had TPToggle disabled in Essentials. This was added to DeviousMod in the form of a command allowing the user to automatically execute the exploit and teleport using Essentials to the target player's coordinates. Later, this was added to SexiestBot in the form of an algorithm which queried the position of every player connected to the server, allowing for teleportation to any player without having to first install DeviousMod.

This exploit was initially undiscovered for a few days, until fyyv made a suggestion on the forums, detailing how it deliberately circumvented TPToggle, recommending the developers patch the exploit[1]. SexiestBot was banned when the suggestion was accepted, and was later unbanned once the SilentTP functionality had been completely removed. It was later patched fully in Scissors by VideoGameSm12.

Worldcom

Worldcom was an exploit discovered by videogamesm12 in August 2022 which allowed players to obtain the player data of any entity in the same world as them. The exploit worked by abusing the lack of a distance check in the "Query Entity Tag" packet.

Video created a fork of EpsilonBot to use the exploit to collect consenting player's in-game coordinates every few seconds and store them in a PostgreSQL database, with the ultimate goal being to find builds to independently archive them.