The main issue is that utilizing loadcharacter alot of times on just one player prevents every other player’s character appearance from heres an example of how it can be exploited
--Server
game.ReplicatedStorage.LoadCharacter.OnServerEvent:Connect(function(player)
player:LoadCharacter()
end)
--Client
while true do
wait()
game.ReplicatedStorage.LoadCharacter:FireServer()
game.ReplicatedStorage.LoadCharacter:FireServer()
game.ReplicatedStorage.LoadCharacter:FireServer()
end
end
What I also noticed is that that the Content Provider requests rise alot and causes some spikes in ping
LoadCharacter() can only be called by the server. In order for such an exploit to be present, the developer of the experience must add a method for the user to call LoadCharacter. An example of this would be a GUI button that a player would be able to click in order to reload their character. Otherwise, the function is not exploitable in its current state because of the requirement of the server calling it.
If such button is needed we recommend imposing time-based restrictions based on how often the button can be pressed in order to prevent abuse by users.
If you have any extra information regarding this bug, we’d be happy to look at it.
Hi, another issue is that if the server script does not have a debounce with LoadCharacter and its connected to a remote event an exploiter can spam FireServer to the remote effectively causing issues.
The onus is on the developer here to secure their events by implementing proper rate limiting on the server side.
The most Roblox could do is add documentation to the function saying it may cause delays if caused in rapid succession.
It doesn’t make sense for Roblox to apply an internal rate limit to this function, and you see the spike because it’s loading in the assets from the avatar each time the player is refreshed.