I have some npc’s that are created on the server. When these npc’s are close to a player and that client damages the player (on the client) then the damage will replicate to the server. I’m pretty sure the issue is that when the client gets close enough it takes over network ownership. That is an exploit just begging to be made.
I can fix this issue by doing this
local npc = workspace["Npc Damage Test"]
npc.HumanoidRootPart:SetNetworkOwner(nil)
But this might screw up with some of physics and movement of the npc in other aspects of the game because of how the game is made. So is there any other solution to prevent clients from damaging npc’s without having to change the network owner?
The reason why the npc is most likely taking damage is because of how your using the humanoid:TakeDamage() function, your npc’s most likely use humanoids as well for those changes to replicate. In order to stop this wherever you are dealing the damage you need to first check if the humanoid’s parent is a real character, you can do that like this-
--[[
im not sure how your damage is done
but here is the framework.
]]--
local playersService = game:GetService("Players")
local character = humanoid.Parent
if playersService:GetPlayerFromCharacter(character) then
--[[
if it is a non-player character is passed then this function
will return nil thereby solving your issue
]]--
humanoid:TakeDamage()
end
Also, I’m sure this is a bug on roblox’s side and I plan on reporting it but I wanted to see if there was a solution I could use in the meantime without changing the network owner.
yes i told you what to do you need to change how your dealing damage, you need to first check is the humanoid is a child of a real character before you deal the damage, it is not a bug, i think that any changes involving humanoid do replicated.
I think you are misunderstanding. I am not dealing damage like this, exploiters are able to deal damage like this. Also npc = non player character, this trick only works for non player character’s
Oh thats what you mean, but i think that changes involving a humanoid always do replicate, like for example animations. That’s why it should be done on the server it would make your system less vulnerable to exploits.
Perhaps make all clients deal damage to anything with a remote event to the server (so server is the actual one doing the damaging) and any damage done outside of that remote event is unauthorized so therefore kick the client for the damage bypass. also have remote event check for legit calls such as if the player is in proximity to the npc to prevent clients from killing anything anywhere.
The exploit isn’t sending a remote to deal damage. The remote is already protected. What I’m saying is the exploiter can deal the damage on client, no contact with the server is made. I don’t think it would be possible to check who dealt the damage.
Someone mentioned this issue to me a while ago and I tested it out and came up with the same results you did. You’d probably be best off not directly keeping track of the NPC’s health through the actual Humanoid.Health property and instead keeping track of it in your own table/dictionary that the client can change through remote events. It might even be worthwhile to just entirely get rid of the Humanoid and change the animations to work without it.
Edit:
Even if you were to remove the Humanoid, as long as the client has network ownership they can pretty much do anything to the npc such as sending it to the void. If you really need to keep the npc’s network ownership to the client then all you can really do is add in server checks to make sure the client isn’t performing any abnormal manipulations to the npc.
I’m a little confused as to how network ownership is being mentioned alongside replication of Humanoid.Health. Network ownership is only part of the physics pipeline and applicable solely to BaseParts. A client having network ownership over an NPC’s BaseParts doesn’t mean it can replicate changes to Humanoid.Health. If the NPC is created on the server, the humanoid is likewise server-bound and replicated to the client.
You can use a NumberValue or something to keep track of the NPC’s health. Every time the client “damages” the NPC, subtract from that value instead of subtracting from the NPC’s actual health. If an NPC’s actual health changes, there is a good chance someone is exploiting and you can handle the situation.
I’m not entirely sure but it makes sense… When the player is near the npc then the client can manipulate the properties and it replicates to the server. When a player is farther away the changes won’t replicate. And setting its network owner to nil fixes it so it has to be involved. Maybe it gives entire ownership of the parts rather than just the physics to it.
“To divide the work of calculating physics, Roblox automatically assigns parts to either the server or to a client.”
The only properties a client can change with replication to the server when in network ownership are those of the parts. Humanoid changes do not replicate.
