Can this method be exploited?

Making a new projectile system and wondering if it could be exploited.

The 3 steps that will take place when someone clicks their mouse to shoot a bullet:

1. Client-1 clicks mouse to shoot bullet (asks server to replicate to client-2)

2. Server does sanity check to make sure the shooting is allowed

3. If its allowed then the server says back to client-1, “everything checks out you can create a bullet”, and then tells client-2 to also create the bullet coming out of client-1’s gun barrel (the bullet will be created on the client side for both clients)

Just to be clear: When client-2 is told by the server to replicate the bullet, I meant client-2 would be creating the bullet on their end from scratch, meaning if client-1 changed the speed of the bullet for example, that change would not replicate since all clients are creating it with the pre-set speed, damage, etc.

Can this method be exploited?

Any help appreciated!

probably not due to the sanity check but i’m not sure as exploits are constantly adapting to get around patches

Anyone know if this is exploitable?

This can be exploited, all it would do is stop exploiters from making impossible shots based on the checks you run.

It’s secure, but if the client invokes the server just to see if they can fire, then it’s not going to be very snappy, not good if you’re going for a FPS.

if you are referring to the sanity check, well, not to a certain extent, but my friend there are more important things that can be exploited.
edit: as @WovenBreaker said in that topic is what will give you less performance, besides it is what most experienced operators pay less attention to, why not just check on the server and that’s it, besides you should focus more on projectile tracking.

The server will cancel the request as it will fail the sanity check.

When client-2 is told by the server to replicate the bullet, I meant client-2 would be creating the bullet on their end from scratch, meaning if client-1 changed the speed of the bullet for example, that change would not replicate since all clients are creating it with the pre-set speed, damage, etc.

This’ll work but as others have pointed out it is not very performant. Perhaps a better system might be

1. Client-1 clicks mouse to shoot bullet and requests that it is transmitted to other clients
2. Server does not sanity check (yet) and grants the request without delay
3. Immediately do a sanity check on the server. Assuming it was an invalid request:

• If the bullet has not made contact with a player, the bullet deals no damage and the ammo is restored to the player who shot the bullet.
• If the bullet has already made contact with a player, the player is healed for the damage initiated, and the ammo is restored to the player who shot the bullet.

This way, there is no delay at all when firing the bullet and it’ll feel more responsive. Shifting the focus to damage (which is the main thing that’ll be exploited) will ensure that your anticheat is still working and more performant.

This is very bad because if it would kill a player, and points or xp are given and rewards etc, so many things would have to be undone.

This would look very chaotic as there would be bullets flying all over the place from exploiters.

Wasn’t thinking about killing, but yeah in hindsight you’re completely right.
You could also make use of the leaky bucket algorithm to limit bullet fire rates.

In my old gun system I would create a bullet on the server side which would handle the damage, this would have huge server to client latency issues, so this new method I think is way more performant.

This is already included in the sanity checks.