A severe issue has been identified that allows players to crash servers of any game using tools in combination with certain layered clothing UGC accessories. The UGC accessories in question, when equipped, appear invisible but cause significant lag spikes. When combined with the rapid equipping and unequipping of tools, these accessories can crash entire servers and disconnect players. The accessories in question are typically box-shaped but appear completely invisible on avatars in-game. Two specific accessories have been linked in the private PM (and I’m sure there’s many more similar to them) and engineers can @ me to request these links if they’re unable to access them.
I’m hoping to have two resolutions as a result of this report:
The items linked are taken down swiftly to prevent them from decimating our (or any other games’) player count any further.
The root vulnerability with UGC validation that allows these abusive accessories to be uploaded in the first place is resolved.
This vulnerability has had a huge impact on our experience. Our crash rate has increased to a staggering 50%, as shown in the Creator Hub crash rate graph attached, and we’ve seen a 75% reduction in player count due to this issue.
Several related bug reports have been submitted in relation to this issue but appear to have been overlooked, possibly due to the severity not being fully communicated. One of the item descriptions includes the text, “you already know what this is. @f_al to buy,” suggesting intentional misuse.
Reproduction Steps:
Equip one of the problematic UGC accessories.
Join a game and equip a tool.
Rapidly equip and unequip the tool while the accessory is on.
Observe the lag spikes and eventual server crash.
A very simple reproduction file has been attached in the private message linked to this report, exhibiting the entire issue.
This is a severe bug that needs urgent attention and resolution. Engineers - please let me know if you’re unable to access the private PM attached.
Video demonstrating the issue (perpetrator & random player perspective):
An anonymous user has DMed me on Discord with more info about this - and it’s actually a much bigger issue than first thought. Thousands of these bugged accessories are being uploaded to the catalog each day, and if Roblox doesn’t do one of the following quickly, the issue is going to spread to more and more games:
Fix the bug causing the lag with these accessories (this allows the thousands of glitched accessories to stay uploaded but just not cause any harm which is ideal).
Improve the UGC validation checks to disallow these kinds of accessories from being uploaded in the first place (this means Roblox will have to go through all the recently-uploaded avatar assets and take down the thousands of bugged ones, including the ones linked in the PM).
In the past few hours I’ve had DMs from 3 more users offering to provide more info about this bug/affected accessory links. It’s clear that this issue is quite extreme now that so many people know about it.
I’ve also had a lovely DM from someone behind this:
Just received death threats from about 5 more people via Discord relating to this, and have had some of my servers raided
But apart from this, there’s been quite a few more people who have come forward to provide more info on the issue (thanks guys!). Here it is:
This is actually a large-scale operation with entire Discord servers dedicated to exploiting these already-existing vulnerabilities and finding new ones. They share the methods around (sometimes selling them) and then private them when there’s news they’re getting patched. Here’s what’s just been said (provided to me by someone):
Update on this issue for anyone monitoring this thread:
I’m working privately with some very helpful engineers to get to the bottom of this issue and many other issues with UGC items. I’m not going to say much as I know there’s many of the perpretrators watching this thread closely, but I wanted to thank the engineer(s) who’ve assisted me with this thus far and are working tirelessly to address this, and especially all the like-minded devs who have come forward to me privately, raising concern about the issue and sending over more affected items and information.
If any other devs are affected by this issue, feel free to send me a PM with the asset(s) in question.
This issue is now resolved. We have taken down the problematic items (including many not listed here, whether or not they’re archived or private) and are now blocking any further examples from being uploaded.
To add onto this you can cause even greater lag if you set the order of each of the layered clothing to be all the same in the api request:
{id = LayeredClothingId, meta = {order = 1}}
The items you linked are fairly harmless and it’s not their fault that they can be used to lag servers (given it’s actually funny and you guys are pretty lame for snitching). Seems like more of an engine issue rather than a UGC vulnerability
If my game’s player base and hence profit weren’t being decimated as a result of this issue, I wouldn’t have bothered reporting it. However, this issue was allowing a game I’ve worked on for years to be crashed by some children with nothing better to do, and if they have the time to do that, I may as well return the favor by putting in my time to decimate their own economy.
If you were a developer with a small game and small community that was being destroyed as a result of this issue, I’m sure you’d understand