It's quite hard, because it's not just "use known vulnerabilities on this specific address" - you can block it easily, and there are projects (such as CRS: https://github.com/coreruleset/coreruleset) that tries to emulate this. It's more of combined specific attacks, which is amplified because if CloudFlare detected an attempt on a single high-profile site, then that IP address can be propagate to all of Cloudflare-protected "properties" (as they called it). Combine that with how random is an address allocated in Tor (and frequent rotations), and you've got blocks without using an explicit Tor list.
> it's not just "use known vulnerabilities on this specific address"
Ok, so they're not blocking complicated attacks. Just automation of attempts to exploit known vulnerabilities. And then their IP is marked as high risk. Rinse and repeat until the majority of TOR nodes are blocked. Definitely can't see that causing issues for TOR (or VPN) users.
Edit: And to comment on this:
> Funnily, there is silence on Fastly's filter
> Cloudflare is used by 80.6% of all the websites whose reverse proxy service we know. This is 17.4% of all websites.
