Changing Development Tactics - Looking For Feedback About Possible Exploits I May Cause

Dear Developer Community,

I am writing a new type of game, one that I have never attempted on Roblox previously. Normally my games do not involve any damage to players, other than perhaps falling off the main board and respawning. I am building a game that involves damage using tools. This is my 7th game in three years and, while I have a lot of experience, I am still learning every day that I work in the environment.

Normally, I am processing any of my important code such as rewarding coins or gems, using a method that involves generating a temporary key for that specific action and then destroying the key after the action is completed. I have been doing this for almost three years and it has kept server level data integrity intact. I do tend to keep my code in two major files, one for the client and one for the server, since I am more versed in other languages that follow that Client-Server model. I am trying to get away from that and use Roblox in the way that I believe other developers are approaching problems.

The scripts I am using are all regular scripts, which I have always assumed are server level scripts. Here are the steps I am taking, when a tool deals damage and problems that I am facing.

1. The tool’s action is triggered and I test for a NPC or another player.
2. The Script Calls a Remote Function on the Client.
3. The Client Remote Function Requests a Temporary Key from the server.
4. The Client Remote Function Calls to the Server Remote Function.
5. The Server Remote Function verifies the Temporary Key, and if not, kicks the player.
6. The Server Remote Function makes modification to the Database, issuing whatever is being rewarded to the Player such as coins or gems, etc.
7. The Server Returns a value to the Client Remote Function that Called it.
8. The Client Remote Function updates the Player GUI or gives some other feedback to the player of their reward.
9. The Client Remote Function returns control to the tool and the tool finishes processing and “reloading” or “recharging”

The main problem I am facing is that any time I make the reload/recharge process less than 1 second in length, I can see that when I am hitting or shooting another player or a NPC that while the action is being taken, I am not always doing damage on subsequent hits.

My question, now that I have probably lost your attention due to being long winded,is to attempt the following.

1. The Tool’s action is triggered and I test for a NPC or another player.
2. Since the Tool Script is a regular script, I can reference my database module here and make modifications to the Database, issuing whatever is being rewarded to the Player such as coins or gems, etc.
3. I call a Client Remote Event which updates the Player GUI or gives some other feedback to the player of their reward.
4. The Tool finishes processing and “reloading” or “recharging”

By removing 5 steps in the process, I can get a faster turn around time for each shot or hit I dole out, making my game faster and more responsive for the player by removing multiple remote function calls out to the client, the server and back again.

My main concern is now exploiters that could take advantage of my not generating any temporary keys. Are these regular scripts available to them? Since I am not really calling any server level remotes, is there even a back door open to them?

Thank you, in advance, for taking the time to read this and offering any thoughts you might have.

Regards,

Tweetclean

Why exactly do you need a temporary key?

In my game there’s an option to sell an inventory item and get the value returned to your money balance.
The method I use (hopefully safe) is that the user sends a request to the server to sell a specific item. The server then checks if the user owns at least 1 of these items and then changes the money balance.

How exactly have you been using keys? Are you using calls with client → client?

First of all, I’m not sure where in the first case any actual data has to be given to the server from the client. If the client never feeds any data to the server at any step, the usage of a key becomes redundant. Ask yourself, for what data are you verifying authenticity?

Normally, you’d use a key for checking if data from the client is legit or not – which I’d like to note here, is not fully safe! I understand how this holds off some exploiters if used in the right circumstance but don’t recognise it to be important. Important data should not be client based in the first place. Simply having data like ammo and gun state on the server and replicating it to the client already makes your data out of client bounds, and directly untouchable (but make sure that scripts that edit data too aren’t dependent on the client).

In your case, since your new process is server based and doesn’t have things like mouse data being passed over, I can’t think of a way to exploit the functioning of your tool. There is of course players teleporting to places in the map, but that is a check that should stand separate from process-specific sanity checks.

Your new system looks fine to me if I’m not overlooking something. The only exploiting that could happen is independent of this system alone.

ankurbohra04, thank you for your reply and your feedback.

I think what I hear most loudly from your reply is that no actual data should ever be given from the client to the server. Setting things like Coin Rewards in a NPC or a treasure chest only leaves me open to exploits. What I am hearing is, and please correct me if I am wrong, is to perform all critical data server side only and never pass critical data from the client to the server.

I have a question about Regular Scripts, if you don’t mind. Are all Regular scripts, regardless of their placement in places such as the workspace, replicated storage or ServerScriptService are all considered Server Scripts? I was under the impression that only Regular Scripts in ServerScriptService were, in fact, Server scripts behind the Server Firewall.

Regards,

Tweetclean

Seems like you have the gist of it but putting values in an NPC is of no worry as long as you’re retrieving these values from the server (instances are to be read from on the server) where any change an exploiter makes isn’t replicated. Important data can be on the client if need be, but it should:

1. Not be dependent on the client. Clients should only be given copies of data to read from for themselves, not for reading and passing to the server.
2. Not be retrieved from the client’s copy of the data. Always read data from the server.

From the server here refers to reading directly from the server, not a request to read from the client initiated by the server.

The content of (Server) Scripts is under no circumstances shared with the client. They exist and are ran solely on the server, they see what is on the server regardless of where they are placed.