Use a client script for the uis, and use serversided sanity checks to prevent exploits
I just realized that by reading your messages it made me think a bit deeper for a minute. Just tired I stayed up last night for my birthday. I’m really just disgusted with the lack of seriousness from Roblox in regards to security. Let me paint this picture for you and why it just makes me not want to develop on Roblox anymore.
WalkSpeed/JumpPower Sanity Check: Repeatedly loop check the distance of how far a character is going on all axes and if they start going fast, kick them.
Why? That isn’t anti cheat 
that’s called preventing clients entirely from increasing their walkspeed/jumppower past a certain number… exploiters can literally simulate devproducts in your game and avoid having to spend a dime on your hard work…
Long story short? “Serversided sanity check” doesn’t work because it falsely kicks innocent players who exploded by a grenade and their parts went flying and the game thought the player was cheating when really they were just playing the game
“Use client script for the uis”
Really? So we’re going to trust the clients with input?
Why? Exploiters can use your input scripts against you and do whatever they wish.
Let me know if you have any ideas, otherwise I am just to a point where I might just give up on the idea of anti cheat entirely and just trust the clients for everything and use my own ideas to troll them as much as I can with my own personal knowledge of how Roblox exploits work.
Or if you really wanted to, send the client’s input to the server via remote events, and suffer the consequences of high ping
Its physically impossible to know what the player is inputting without either checking on their device or sending the information from their device to the server, the roblox servers do not have telepathic power and are unable to magically know what buttons the player presses
As for sanity checks, yes, you’d have to tweak it a lot to prevent false positives, but generally speaking, its the best method. You can always edit it to be specifically appropriate for your game (for example, if you have gamepasses that increases walkspeed, increase the limit of walkspeed for the player if they have said gamepass, if you have grenades that can send players flying at thousands of studs per second, perhaps check if the player obtained their speed via a grenade)
I see so you could store information inside of the player from the server that checks if they got hit by a grenade or some other explosion or bullet. That’s cool I like that idea. The whole magnitude thing is still just a total disaster and if that’s really the “best method” it makes me realize why so many developers simply don’t care to anti cheat their game at all. Still doesn’t solve the userinputservice problem either and that’s a huge problem
I don’t believe theres really a better method even outside of roblox. If you know of one, I’d be glad to hear about it, as perhaps we can find a way to implement it in roblox. Regarding the userinputservice issue, I don’t find that a problem considering that all user inputs should (generally speaking) do actions which can easily be monitored on the server.
double jump/infinite jump can work on local scripts.
Great that means exploiters can use double jump and infinite jump for free without paying you a penny
Are you guys just busy or is this unfixable? I will try and paint the picture for you even more and maybe you will catch onto why I’m so passionate about these issues…
All it takes is 1 exploit for exploiters to feel powerful. There is a real psychological process behind this where their ego is boosted by them having even the slightest advantage in your game, combined with the fact they can avoid having to purchase your dev products and gamepasses.
Meaning… that if they can infinite jump, guess what?
They won’t care about any other anti cheat you created
They will avoid having to purchase your dev products and gamepasses.
They will take over your game and cause as much of a problem as they possibly can… which then leads to other players feeling like they are at a disadvantage and you losing valuable players who enjoy your game who would have otherwise regularly come back and spent robux in your game.
They are a never ending disease that will not go away so even if you troll some of them and ban some of them, the disease continues to spread which allows them to remain in the cycle of massively ruining your game
I dont understand what that video is showing, firstly, why would there be anti-cheat on the client in the first place? Its very easy for the client to simply delete or edit said anti-cheat to become dysfunctional or even work in their favor. Secondly, preventing double jump quite literally can be done by checking for the state changed on the server, in which if it changes while the player is obviously in the sky (doing a raycast downwards to check if they touch the ground), you know they’re double jumping. Gamepass double jumps can be excluded by simply disabling the anti-cheat if said player has the gamepass.
Infinite jumping is quite literally one of the easiest to prevent. If anything, what you really should be worrying about is jumpheight manipulation or flight, which are not as definitive and does not give a humanoid state change.
Furthermore, yes, exploiting will never be completely fixable until one day we have internet fast enough to literally send user input to the server instantly, and servers strong enough to similtaneously act as the server and the client.
yes.
but roblox are hardworking to block that. don’t worry
and you can just add anticheat by checking how much they far from normal path
Definitely not the easiest to prevent because it relies on humanoid changestate, which clearly in the video does not work correctly on the server. “Detect change on the server” meaning that I can walk into your game and infinite jump because you are only checking it on the server and not the client. If you check it on the client, I can delete all local scripts at once including your anti cheat and then proceed to do it from there.
The only thing preventing me from doing it is if you magnitude check and prevent me from jumping that high entirely, which once again proves my point that you cannot have it as a gamepass in your game safely without it being exploited
Statechanged does take a while to replicate to server, but its not any slower than the character’s movement itself. As both are delayed, if a character jumps in the sky, statechange should activate the “instant” (which is also delayed due to physics replication) it jumps again. Thus, its not an issue. The problem shown in the video is only present because the creator of the video, for whatever reason (perhaps they went insane), is trying to use client-sided input to do jumps on the server, which would obviously be delayed.
As for magnitude checks, yet again, I don’t see why you cannot increase the leniency of said check for players who have the gamepass. It is literally a single if statement to check wether they have it, and an addition operation to increase the height allowed.
Edit: In the case that I’m misremembering the behaviour of humanoidstatechange (which I don’t believe I am), and that it does indeed not replicate to the server at all when the client owns the network ownership, you can still listen to other things, such as the playing of the jump animation, which must happen on both the client and the server if the client were to use primitive cheating methods such as double jumping via roblox movements.
Let’s not be serious, guys. This is the right answer to the question and
this is right solution to the cheat problem
just do it.
wait, there is grenades on the obby game? really?
In most situations where anti-cheat matters, grenades would deal damage…
And when they don’t for whatever strange reason (this is already an edge case, a competitive game where grenades only deal knockback…), you can also still have all sorts of anti-flight, in which as long as they dont keep moving at a few thousand studs per seconds semi-linearly, theyd trigger said anticheat. And an exploiter flying in a straight line at a thousand studs per second isn’t very harmful, if anything, its quite humorous.
What are you trying to achieve? It is difficult to understand when the topic keeps changing.
I am trying to achieve a GOOD magnitude checking anti cheat for all games on Roblox. I will break this down to the simplest level I possibly can because I am obviously not great at explaining things to other people.
Let’s use a super basic example ignoring anything about what theme the game is because it is irrelevant to this topic.
Example: Player touches explosive part, explosion causes player knockback and sends them flying, the flying triggers the anti cheat and kicks them because they went flying.
“Fix”: Prevent them from getting kicked by putting code inside the touched function for the explosive part that ensures they cannot get kicked while being knocked backwards from the server.
Why this doesn’t work? Because now if an exploiter touches the explosive part, this immediately grants them the freedom to move infinitely without restriction until the touched function re-implements the magnitude checking anti cheat. They can just keep repeatedly touching this explosive part whenever they want to use their scripts, and even worse, if they can fake the touched function entirely without going near the part? Boom now your entire game is vulnerable to the most basic exploits in existence that have repeatedly proven to negatively impact experiences.
You are trying to sanity check… input? There would be no difference even if UserInputService worked on the Server, because only the Client knows what buttons are being pressed.