Can exploiters lie about their position?

Hello, hope you are feeling well! I want to know if exploiters can lie of their position somehow. Remember that player has ownership of their character. Is the position calculated on the Server or Client? I want to know because if exploiters can bypass somehow anti-exploits on the server side that uses the Position property for a lot of stuff, it will be horrible…

1 Like

Yes, solution : You can try to make remote event fire every second to tell the player position, if the player pos suddenly far away their origin, you can kick the player or move back

1 Like

What the server sees as the position is what the other clients see as the position. I wouldn’t necessarily go as far as saying this is 100% where the exploiter is on their own screen, but realistically when you have exploiters all that matters is what the server and other players end up seeing.

2 Likes

They can lie about the BaseParts’s velocities, does that means position as well… (Part’s velocity is replicated from Client to Server) idk position.

You mean FireClient on a remote event that checks pos? (They can change scripts while the game is running and at the same time, they can disable callbacks)

Fire Server, Client can’t Fire Client, and why would you want to do a security check on the client?

1 Like

So you meant FireServer? They will just send an appropriate position through the remote event.

1 Like

This is what I mean, I do something weird with Synapse (an executor), I stay in my position (0, 30, 0), but I set my Position property to (500, 30, 500). (Now the character didn’t got teleported) and the server checks your position. What position will the server have, the (0, 30, 0) or (500, 30, 500)

Pedantically, an exploiter could edit the Instance metatable to intercept __index and check if the index was Position to return a spoofed value.

However if you are just looking for a simple anti-teleport that is pretty easy to do on the server, you could compare their last known position every heartbeat to their current position, then check if the distance is over however long you want so you can just teleport them back.

1 Like

Yes they can. But the position you read on the server is replicated to other clients. You should design your game in a way that they won’t gain any advantage if they desync themselves on their client.

1 Like

Does this means they can’t replicate a fake position? Currently I am checking, the last position with the new one and it works. But if they are able to edit the metatable and send a fake position to the server then nothing won’t work… Can they do this?

There is a separate everything on each machine, so separate Instance metatable and such. You don’t want to get the position from the client as you don’t need to.

1 Like

The server and other clients will see the same position, no matter what. Metatables cant be transferred over the S/C boundary. The server shouldn’t care what the client does on his local machine.

1 Like

Let’s say I am at the position | 0, 0, 0 | and I replicate a fake position to the server | 50, 35, 50 | where a tree is located. The client is still on | 0, 0, 0 | but I want to know if the server sees the position: | 50, 35, 50 |

Yes, that is possible. But other clients will see you at | 50, 35, 50 | too

1 Like

Then how will I make an anti-exploit if they can fake their position…?

A simple anti teleport checking the position will easily see that the position jumped from | 0, 0, 0 | to | 50, 35, 50 |

1 Like

IIRC, the position is calculated on the client, which is why it’s possible to do this in the first place. This is done mainly because ping would too harshly affect movement.

The best way to counter these types of exploits would be a movement-based anti-exploit, most commonly done using raycasts. You take the character’s position one frame, then its position the next, then fire a ray between the two points. By doing this, you can calculate distance and if the player somehow when through a part.

2 Likes

Now I understand, thank you guys for your help! (I am sorry for the waste of time and make you repeat the same thing over and over).

I can tell you about a situation where faking a position is useful:
Let’s say you have an anti TP script which checks the Torso’s position reliably.
In another game script you have a clickdetector where you check the distance on the server, but you use the characters Head instead and check if the distance between the clickdetector and the head is below a threshold.
You may assume, “the Torso and Head are joined together and the player dies if they disconnect from each other”, and believe that your game is secure.
Now what an exploiter can do is send a fake, nonchanging position of the torso to the server while he teleports to the clickdetector and successfully triggers it, since his head is close enough.
This is why you need to make sure that your serversided antiexploit complements the game logic (e.g. only use HRP for all distance checks)

2 Likes