From what I know, the exploiter has full control over their character, and any changes they make to themselves will replicate to the server. Does this include objects made on the server such as the int or bool values?
I don’t think so. Testing now.
Edit: I tested it and the answer is changes made to things like values wont replicate to the server
Yes. They can. Anything that isnt in ServerStorage or ServerScriptService, is pretty much exploitable.
However, those changes won’t replicate to server.
They can change their leaderstats locally too, so this? won’t be a problem for them. But as long as you have FE on, you only need to make sure your remotes/stuff have sanity checks.
Unrelated to main post, but
FE has been force enabled for years now, no need to mention it.
1 Like
Changes in the values of the ‘Value’ property of value objects perfomed by the client will not replicate to the server regardless of the object’s location (this includes a player’s character model), the client can however destroy those value objects and their destruction will replicate to the server.
3 Likes
I have tried it myself. I have created a StringValue with a server script, put it inside my character and then deleted it with a local script while the game was running (by reloading the script, which is pretty much what script injections do). The string value was deleted for the client but it still existed on the server, as expected. Like someone else pointed out, it’s the physics that gets replicated to the server, as a result of NetworkOwnership.
EDIT: this is due to the new RejectCharacterDeletions property, it’s already enabled by default by now.
1 Like