While developing an anticheat, I discovered that exploiters can destroy any individual object in their characters, including non-physical items like decals, joints, and scripts, and that destruction replicates to the server. This behavior is also not documented where it should be.
This can happen pretty much everywhere that uses the default characters familiar to Roblox players, and is not limited to Roblox Studio.
For example, if I run this script on my client, my limbs and t-shirt disappear on both client and server.
local character = game.Players.LocalPlayer.Character
You could have a script that checks through player’s characters to see if everything is still intact, and if not, you could reset them?
For clothing, you could have a table with what the player originally joined with. To prevent false firings for if a player resets with a new article of clothing, just update the table every time a player resets.
I’m not an expert on this, so there might be a better way to do this.
local character = game.Players.LocalPlayer.Character or game.Players.LocalPlayer.CharacterAdded:Wait()
I think the reason for this is so that character movements replicate instantly, but I agree this should not happen to all objects parented to the player. (You can also cause your character to respawn by deleting the humanoid object on the client which could break some games).
It’s possible to teleport other players if there’s a skateboard in the game. Exploiters can teleport the skateboard to the player and then teleport it where they want to player to go. Not sure if this works with seats as well but this is a severe issue.
Putting stuff there is useful because you can alter the character’s behavior without having to copy the whole character or do complicated scripting systems. For example, if you wanted the character to use custom swimming behavior, you could put in a LocalScript that does that.
That doesn’t make sense, checking when the player respawns isn’t complicated it’s just Player.CharacterAdded but that doesn’t really matter since like you said a LocalScript which obviously could be deleted by the client so I see no reason for “Putting stuff in the Character” to be used an argument or a reason…
I’ve been working on 3 games and none of them have any scripts that are inside the Character because there is no reason for them to be there, there is no reason to store values/important values.
Roblox stores Health, WalkSpeed, and plenty of other properties about your character in the Humanoid. This is automatically replaced when you reset with the StarterCharacter, so if you wanted to add a “Mana” value or “Ammo”, etc, then you can have them created without needing to write extra code to make those values each time.