#Exploits are able to crash servers using Adonis

Exploits are spamming a randomly named Adonis remote; they get kicked with ":: Adonis :: nil", but for some reason (server working on the invalid request, exploitlogs, etc?) the server gets significantly slower and often crashes. Since Adonis only kicks the exploiter, they can teleport back in and resume spamming. I can share the exact script if requested.

Edit: typo

This is already fixed but a new version of Adonis has not been updated

Has been patched. Awaiting <@&940468990151647253>'s to wake up.

I’ll cherry-pick it to release

Don’t think the bots up to auto upload so I’ll have to upload the module myself.

👍

@halcyon belfry thank you

Will you go on a date with me?

https://media.discordapp.net/attachments/926175676149690471/1076254586509217862/image0.gif

You can be the eGirl and I'll be the morbidly obese discord mod.

We can go surfing on the web, hang out at an NFT diner.

Go home, I'll sleep in my bariatric bed while you lay on the concrete corridor leading to my flat.

Wake up and eat crypto for breakfast.

My bad I upgraded my PC

Forgot to set the server stuff back up for it

Will do tomorrow after work

Can indeed confirm this. They fire the unprotected event in ReplicatedStorage, or the remote function parented to it, causes heavy crash

<@&940468990151647253> Has a new version been released for this issue?

@halcyon belfry were you able to manually push the fix

Also the upload server should be back up

Assuming pm2 cooperates and is actually running it like it says it is

If it’s back up then I can push it yes

Yo. Can you take a look at this issue please? The hotfix for it was ignored.
#1070790821613420575 message

#1070790821613420575 message

For anyone looking for an anti for this, heres a quick one i made below:

task.wait(5)

print("anti crash loaded")

for i, v in pairs(game:GetService("ReplicatedStorage"):GetDescendants()) do
    if v:IsA("RemoteFunction") and v.Parent:IsA("RemoteEvent") and v.Name == "__FUNCTION" then
        v.Parent.OnServerEvent:Connect(function(Player, ArgA, ArgB)
            if not ArgA or (not ArgB) then
                Player:Kick("Detected crashing.")
            end
        end)
    end
end

theres not as much kick delay so it disconnects them before they can overly spam the remote

i highly suggest <@&940468990151647253> release the new version soon because this is still an ongoing bug (this just happened in my game today)

I can write a quick fix for this

(A plugin)

To fix exploiters crashing your server via anticheat notifications add a modulescript named Server-AnticheatCrashFix under Adonis_Loader > Config > Plugins with the following code:

iffffff this works universally we can just shove it into the actual module

which would then update the module

seems unwise to assume a module update means it was fixed

what even is the actual issue happening here to cause the crash I thought we already had stuff to prevent that

There is a fix in nightly already

But you can make a temporary release with that plugin

might be able to just cherry pick

assuming everything doesn't implode

Hard to because the anti files have been updated.

Also you'd need to mark the relase in github and in changelogs

Likely would be fixed in next release. And it's bad to have this legacy behavior enabled many years in the future because it could cause issues when it's no longer necessary

right but what was actually causing the issue

the Detected function for the anti?

For some reason Roblox doesnt instantly kick

No idea why

That allows it to make multiple notifications

Ender first found the bug but it got leaked

WHAT IS THE ACTUAL BUG THOOOOO

it's not clear just looking at the plugin

Actually ender didnt find it but they showcased it

like what are they actually doing to cause the thing

or what's responsible for letting it happen

Basically. Roblox doesn't instantly kick the player when calling kick. Meaning the player can run the remote many times before being kicked. Therefor they can make a lot of notifications in that timeframe

The plugin makes it so that it doesn't produce notifications if the player has alraedy been kicked

gotcha so basically if they get kicked immediately blacklist them from communication

It just rekicks them without a notif

Yeah thats what it does. The fix is in nightly also

Roblox top security momento again

if it was handled in the nightly the same way it's in the plugin, it's going to need some changes since it doesn't do anything to clear a player from the kick list after they get actually kicked

better solution might be to just immediately mark a player as "kicked" when we kick/crash them and ignore all further communication from the client/etc

same in the anti detected method

It does clearup via GC

does it?

It should, because it's a weak table

gotcha

Expect the nightly uses an array and the plugin a dictionary, but both use weak tables

I'm not sure about the nightly though because Adonis wraps them so they might not be GC'd. But if so then theres a bigger issue because it affects everything in Adonis ¯_(ツ)_/¯

stop this

?

Oh wait there is a debounce

this is one of those situations where just because we can doesn't mean we should every single time

makes the variables harder to read

unnecessary unless you're doing a bunch of declarations all at once

qq

Weird that the debounce doesn't stop it.

Oh the debounce is not in release

So thats why

So we basically already had a fix in the debounce thing

Well I guess it's better to make a better fix because exploiters can bypass the debounce (I mean it's fixed by the kickedPlayers check but whatever)

The debounce is only for UX

working rn, pushed changes to it to the nightly

someone check if the issue is still fixed on the nightly and I'll pull the changes over to release

at some point we can do a full release for whatever is currently on the nightly but not right this second cuz I have to do my actual job

The issue was already fixes in nightly

I don't like the way it was handled so I made minor changes to it and made sure it clears them on network disconnect

But when you make a small bug fix remember to add to changelog and github releases

Understandable

so we shouldn't need to worry about whether or not GC works correctly for it

it will still use the GC on key if it can but it will also clear it via the client connection tracking stuff when the network client gets removed server-side

going to also add a quick change to make sure the player connections get tracked

Doesn't Adonis already track the server connections

it does but it's loose at the moment, doesn't ensure the player is actually there to check

like

Like RAKNET?

The "UNKNOWN" player connected?

basically it was only tracking the player connection if it could find a player for an added network connection

Oh

but didn't do anything once a player joined to check if they had a tracked connection and if not line them up to their con

so I'm going to add that so there's no unaccounted for connections

I mean you should still keep the RAKNET tracking because it's usefull to see when there are RAKNET connections which don't have a player instance

To see if people spy on the server

well this would only matter if they have a player instance created after the network added event is fired

But you should still keep the log "UNKNOWN player connected"

so when the player added stuff fires it will doublecheck connections to see if they have one and it isn't being tracked cuz they didn't have a player instance yet

it would

it's not going to affect that

Oh ok

pushed

Update changelog

small but needed change to ensure the other stuff works correctly, else some player connections might not be matched to the player instance

no

Ok

Should we add multithreading to Adonis 2.0?

the changelog has pretty much become pain

also does it even really need it

You should make something to automate it's generation

that's what I want to do

just base it on github changes

Just like store the last pull merged, then have some github workflow generate it

yeah

Although it doesn't add maintainer git commits to the changelog automatically

Everything would have to be a pull for it to add everything

Also the version variable inside loader doesn't update automatically

we could probably get something going where it just grabs all commits since last release and tosses them in the changelog or something

dunno

It would make it gigabytes large

wouldn't be that big

Just like take all of the merged pulls

text doesn't take up that much space

And then manually add the maintainer commits (as there aren't that many)

wouldn't need to if we can grab all commits

like regardless of who pushed them up

Oh wait. Take the merged pulls. And then put the git commits which are not related to any pull and paste them there (automatically)

overthinking probably

anyway

pushed the thing

will try a cherry pick over to release in a bit

need to go back to work

if I can't cherry pick I'll just rewrite it on release

Nightly is fine. Expect there is one issue. My soundservice change accidentally broke the Audiolib which brokes the Adonis audio player.

But there are no other issues

n i ce

lol

ok

gonna try pulling over the crash fix then

might need to rewrite it but meh

But there are a lot of pulls which need to be merged so better to not release nightly yet

Also https://github.com/Epix-Incorporated/Adonis_2.0/pulls needs merge

And this adds selene linting to it (and fixes lint errors)

thought I merged that one

It was a different one

I already fixed the selene GitHub action

Not in 2.0

Ohh

I'll have to look at it there yea

https://github.com/Epix-Incorporated/Adonis_2.0/pull/29 should fix the selene lint as well as the lint errors it would produce

One though I decided to do though with it

Is to disable lint for shadowing and unsused variables

They are really not necessary lints and Adonis has like 30000 of them in 2.0 so it's impossible to remove

stupid build server died again

annoying

fixed

release action running now

should hopefully work, the nightly upload worked

How would the generatin of the loader version num be fixed though?

Like

Automated

base it on the last release tag

annnyyywaaayyy

can someone check if release is working & the crashing issue is fixed

Ok

I tested and I think it's fixed

Not sure because I dont have 2 players though

Good enough

As long as things aren't breaking I guess we'll just wait a few hours and see if there's any bug reports or something

finalie fix🥶🥶🥶 thank🙏🙏🤌

The crash exploit is still going on

Try to see if adding a modulescript named Server-AnticheatCrashFix under Adonis_Loader > Config > Plugins with the code \/ fixes it