Anti Click to TP (Feedback)

Hey there,

I’m currently working on expanding my knowledge around Anti Exploit and was wondering if there was any way I could make this simple Anti Click to TP better and more efficient? Obviously changing the Max Studs would be dependant on the games type and if it requires you to teleport a certain number of studs.

This script checks the position of the HumanoidRootPart compared to it’s last position every heartbeat and if it’s moved further than the max studs it kicks the player. I’ve done some bug testing with friends and it seems really efficient with detecting exploiting, we purposely flung our characters to try and trigger it and found it only triggers when you fall under the map.

Script:

-- // Services

local Players = game:GetService("Players")
local RunService = game:GetService("RunService")

-- // Variables

local MaxStuds = 15

-- // Function : PlayerAdded 

Players.PlayerAdded:Connect(function(player: Player)
	player.CharacterAdded:Connect(function(character)
		local humanoidRootPart = character:WaitForChild("HumanoidRootPart") -- Get the HumanoidRootPart
		local lastPosition = humanoidRootPart.Position -- Last position

        if not humanoidRootPart then return end -- sanity check

		RunService.Heartbeat:Connect(function() 
			local currentPosition = humanoidRootPart.Position -- Current Position of the charcacter
			local distanceMoved = (currentPosition - lastPosition).Magnitude -- Calculate the distance in studs

			if distanceMoved > MaxStuds then 
				player:Kick("Anti TP") -- if player traveled more than the max studs then they are using click to tp
			end

			lastPosition = currentPosition -- update the last position
		end)
	end)
end)

Any and all feedback is greatly appreciated, thanks for reading.

Hello!

One issue I can see is your script has somewhat a memory leak, you never disconnect the functions when the player dies thus creating multiple RunService events which can and will cause server lag.

Adding onto that, you should probably do some kind of for loop as if there is a lot of players there will be many RunService events created.

Anyways, not sure if the falling is a false position but implying that is, you could fix that by detecting if the Character’s velocity is in the negatives however not full proof because of lag.

Having the max studs set to 15, in my game there isnt any way to be kicked from falling. Of course it all depends on the game.

Yeah that’s really unavoidable at least from what I found. I also made a really good one of these and honestly I gave up on server side anti cheat completely and switched to client sided anti cheat where you can add so many more detections

Client sided is cool, however the exploiter can just delete your script and your game is then unprotected.

No they cannot just delete your script and it’s really making me upset how many people spread this misinformation to intelligent people like you. You create a handshake that detects the deletion and forces them to reverse engineer your entire system which is extremely difficult and nearly impossible to do without knowing how

That is true, but the client can be very unpredictable no? Unless you verify the information directly with the server can you really trust anything from the client?

I will send you my server sided version of this in DM’s and you can play around it with for free. I don’t care about it anymore because I’ve completely abandoned it. I care deeply about my client sided anti cheat. That’s where true security is found

Oh thanks alot that is greatly appreciated and i’ll for sure check it out.

Thanks for the feedback, I’ll add disconnecting when i’m on next.

Hey there,

Thank you for posting on our community forum!

I see you are trying to make an anti teleportation prevention script, here’s a few things to note:
While looping constantly might sound the most ideal method, there are other methods to use as well, think of this example, the player is standing still and not moving at all. Well, the script will keep listening for changes and do mathmatical operations.
You could just only do that when the player moves, like https://create.roblox.com/docs/reference/engine/classes/Instance#GetAttributeChangedSignal.

This will be much more efficient since it only checks it when it needs to be checked.

Now, for the exploiter that could potentionally delete this script.

Exploiters can indeed modify the whole client side, including deleting the script. That’s where the term “never trust the client” comes from, you’ll need that in every programming situation you can think of (websites, softwares, databases, PLCs). And that wont be possible with a server side script. Here’s the thing, do you want performance/certainty (local script), or security/uncertainty (server script)? We all know Roblox’s servers, they are not great. There are two things to consider: Zero Trust mindset, and playability. Put as much on the client in terms of performance when things need to go smoothly (tween animations, effects…) and put everything on the server that are critical. It’s always a fight between.

I hope this solves the situation we have here.

You have to use the client and the server together it’s not just the client. There are tons of people who like to spread misinformation to intelligent developers about this yet they’re the same people who are either too scared to touch an executor and try to bypass it themselves or even better they touched an executor and did try to bypass it and completely failed and realized that we were right from the start

So the exploit im trying to patch allows the player to teleport by clicking, therefore they dont need to walk/jump at all. Would the class change if they stand still and click to move?

If you actually try the script I sent you in your DM you will realize that exploit is already patched by mine

I’ll check it out tomorrow when I get on pc, thank you.

You’re welcome! You are an intellectual thinker I’m glad I could help you

Hey there,

I see your point, you can add an extra step by making a client check.

While this is indeed a way to make it “harder” for the attacker, I still have a few things to note

The client-server model you use in Roblox needs atleast two scripts, a server side script and a client side script. This client side script that communicates to the server to warn for unwanted changes, can be deleted or modified as well.

You sended me a link to a post, which I do see a part of the solution to, you also directed me to a reply, which did shown an exploit to a vulnerability in the system from the poster, which is kind of contradicting to your point (if I understand your point right).

Now, don’t get me wrong, this does improve the security and make it harder for the attacker, which is the only thing we can do. But this does not make it hacker proof, even for a client side script. There’s one thing that you have to keep notice of in terms of cybersecurity, never trust the client, always prepeare to be hacked.

I hope this helps you understand.

It looks great! One suggestion might be to add a cooldown timer to prevent rapid clicks from triggering the teleportation multiple times in quick succession. That could further improve the user experience.

The script doesnt work based on detecting clicks, every heartbeat it checks the current position of the humanoidrootpart against the last. Having a cooldown wouldnt really change anything, if anything it would make the detection slower.