Simple as the title suggests, clients, even if the game is FE, can kill ALL server sided NPC’s (In my case zombies) with this simple bit of code. (Its setup to work with my game but you should be able to get the gist, its really simple)
for i, c in pairs(game.Workspace.Zombies:GetChildren()) do
c:BreakJoints()
end
Code has been tested on one of my games I am working on, It has worked for a very long time, only now getting around to reporting it as a fix is definitely something needed.
I don’t want exploiters to have the ability to beat a wave of zombies by just running 3 lines of code. It completely defeats the purpose of the game.
This also works in games like Apoc, you can wipe out every zombie on the server by just breaking the joints of the zombies.
Because if a client has network ownership of a part, they have access to break joints, among other things that are whitelisted. This works well for the player’s character, and completely-local bodies, but not-so-much server-sided enemies. Even physics simulation can be abused though (owner can tell server to move NPC 1000 studs away), so while distributing physics to clients is a good thing in its own way, it opens up a door for exploiting, so maybe it should be revisited.
I just tested setting the network ownership of the zombies, even with every part in the zombie set to the ownership of the server, there are still issues.
All zombies die on client 1 that runs the code, on client 2 the zombies are still ‘alive’ now (that’s a step in the right direction), but here’s where it gets crappy again. The server still registers them as having died, and stops their path finding. (Yet they are still there just standing still on the server (with full health) just like on client 2)