Chat exploit lagging the server

Hey, I’m a scripter for a group and we’ve recently had some issues with exploiters. Exploiters have been sending mass requests to remotes related to the chat with millions of characters therefore crashing the server. Anyone knows what causes this and how I could potentially fix it?

I already forked the main chat script in hopes of fixing it, we’ve had no proof of it actually working though.

Basically, they’re setting their channel (?) to a huge string which absolutely demolishes both your ping and the server itself.
Anyone knows how to fix it/can potentially help me with fixing it?

1 Like

Can you provide an example? “Remotes related to the chat” could be anything. Is this a custom chat?

We’re still unsure how they’re doing it, all we know is that it has something to do with the chat.

Alright, could you tell me if this is a custom made chat or is this the default Roblox chat?

It’s the default roblox chat, we’ve not altered anything.

Hmm, okay. Honestly not sure then, is there any other information in the console or are those the only outputs?

Those are the only outputs we have. I’ve also checked remote logs (adonis, unsure if that logs everything) and there’s nothing.

Could you tell me any plugins or free models used in the game? An example might be Adonis. Although I use Adonis in quite a few projects, it’s based off EISS, an even older admin and therefore may have unknown vulnerabilities,

Adonis would be the only freemodel that would be in the game. We’re practically 100% sure that it’s not a backdoor due to them not doing anything other than the chat exploit.

Have you used any plugins in the making of the game? Some plugins may carry vulnerabilities or bugs, and even may carry backdoors.

I personally only use trusted plugins, I don’t know about the others.

You should get everyone else involved to check their plugins, mainly builders. I’ve seen some welding plugins copied and used maliciously, and the plugin “owner” impersonates a trusted developer, e.g. TheFurriFish instead of TheFurryFish

If this helps anything, I recently just dealt with a user who was using the same chat exploit in one of the games for a group. We’ve yet to figure out how the exploit happens though, as well.

Hopefully this gets fixed soon.

It shouldn’t be caused by anything on your end. So plugins, free-models avec le malicious scripts, etc. don’t seem to be the source of the problem.
The issue is that a huge string gets passed into a chat remote which doesn’t seem to have a cap on length. If the server also passes a string of this length to other clients (as a chat typically does), then it can impact other client’s performance directly.

This seems to be related directly to:

After a quick search of the DevForums, a similar issue was found here.

Apparently, there seems to be a crack in Roblox’s chat system, where exploiters are able to fire a RemoteEvent in the chat system. As the string is too long and doesn’t fit the right parameters for the chat, the console will throw a warning. Factor the server processing strings of over 10k+ characters, throwing the warnings in the console, and the remote being fired multiple times within seconds, it takes a toll on the server, leading to worse performance on everyone’s end.

The marked solution in that post is to monitor such events being triggered, and if you notice something abnormal, to kick them. Here’s a server script that I’ve created to combat the exploit:

local characterLimit = 16384 --> Based on console
local counter = {} --> Counts issues from input
local counter2 = {} --> Counts issues from remote firing
local serverBanList = {} --> List of players banned from the server due to the exploit
local defaultMessage = "Abnormal activity was detected."

	if table.find(serverBanList, player.UserId) then
		counter[player.UserId] = 0 --> Number of times input would've caused an error
		counter2[player.UserId] = {false, 0, 0} --> isTrackingCount, # of remotes sent by player in a second, # of "strikes"

local ChatService = require(game.ServerScriptService:WaitForChild("ChatServiceRunner"):WaitForChild("ChatService"))
local eventListener = game:GetService('ReplicatedStorage').DefaultChatSystemChatEvents:WaitForChild('SayMessageRequest')

--> Detects if the message or channel inputs are abnormal
eventListener.OnServerEvent:Connect(function(plr, message, channel)
	if counter2[plr.UserId] and not counter2[plr.UserId][1] then
		coroutine.wrap(function() --> Start new thread so it doesn't wait for other "checkers"
			counter2[plr.UserId][1] = true
			counter2[plr.UserId][1] = false
			if counter2[plr.UserId][2] >= 7 then --> Arbitrary, feel free to change the 7.
				counter2[plr.UserId][3] = 1 + counter2[plr.UserId][3]
				if counter2[plr.UserId][3] > 1 then
					table.insert(serverBanList, plr.UserId)
	elseif counter2[plr.UserId] then
		counter2[plr.UserId][2] = counter2[plr.UserId][2] + 1
	if not ChatService:GetChannel(channel) then
		counter[plr.UserId] = counter[plr.UserId] + 1
	if string.len(message) > characterLimit then
		counter[plr.UserId] = counter[plr.UserId] + 2
	if counter[plr.UserId] > 1 then
		table.insert(serverBanList, plr.UserId)

What I’m doing here is having 2 “counters”. One for checking if the input the client is sending the server is abnormal, and another for if the remote is being spammed by the same client. If any of these happen and go over the threshold, it’ll kick the player, and put it on a “ban” list for that server instance.


Can confirm this is still happening, a user joined our game and the ping shot up an insane amount. When can we expect this to be patched by Roblox?

As far as I’m aware, there’s no current Platform Feedback on this (if there is, do feel free to send me the link, as I’d like to see it). Regardless, it’s a major issue that can be resolved with a minor patch, and it’d be best to insert any sort of check or restrictions on abusing the remote in the meantime, if you believe your game could be the target of such attack/exploit.

1 Like

Just copied your code segment into our game, I think we’ve been the victim of it for some time now (Attributing to other issues). Cheers!

1 Like