Deleting Humanoid With A LocalScript Replicates To Server

Deleting the local character’s humanoid on the client replicates to the server. This is not game-specific, and is also commonly know as a method to achieve God mode with Exploits. The character doesn’t even respawn after 5 seconds after the humanoid has been removed. Expected behavior is that deleting your own humanoid clientside does not replicate to the server.

Code

Script

local PlayerS = game:GetService('Players')

PlayerS.PlayerAdded:Connect(function(plr)
	plr.CharacterAdded:Connect(function(Cha)
		local Hum = Cha:WaitForChild('Humanoid')
		for i = 0 , 50 do
			print(Hum:GetFullName(),' | ',Hum.Parent)
			wait(1)
		end
	end)
end)

LocalScript

local PlayerS = game:GetService('Players')
	local plr = PlayerS.LocalPlayer
		local Cha = plr.Character or plr.CharacterAdded:Wait()
			local Hum = Cha:WaitForChild('Humanoid')
			
wait(5)
			
Hum:Destroy()
5 Likes

Damn, I’ll definitely add this to my anti-exploit right away, hope they patch it.

3 Likes

You’ll find that this isn’t specific to humanoids with mpre testing. This has been brought up before and received response from staff, there’s reasons which I don’t know if I should say here (my memory isn’t too strong on why either) why it hasn’t been changed. But to summarize, they want to fix it, and a fix will probably come at some point.

It also allows you to kill NPCs indirectly with explosions and the characters will explode and stuff client-sided, but on the server they will just be dead.

I had to add a check in my server script to auto-respawn the NPCs which died as the result of this exploit.

Instead of Respawning the NPC just add a ForceField to prevent it from dying by Explosions.


So you can kill NPCs Client Sided by deleting your Humanoid? I am unsure can you explain

No, just killing NPCs client-sided in any way will kill them server-sided. Exploits which spawn explosions or kill NPCs in anyway will kill them server-sided as well - but I didn’t know about deleting the humanoid would do that too.

This doesn’t affect other players besides LocalPlayer in any way (as far as I can tell) due to replication.

We must keep in mind however, that FilteringEnabled is just a whitelist of what is able to replicate and what isn’t - it’s actually a common misconception that it’s a true separation of client and server.

You might want to file that as a Separate bug report.


I’m interested to discuss this issue further in DMs.
(let’s not make this thread a mess)

This is a issue yes and can be exploited but there are a number of ways to prevent this.

They achieve this god by deleting the current humanoid and creating a new one right after.

If you can create some connection with the humanoid that the player spawns with on the server I don’t see why you can’t prevent this issue.

One of the ways you could prevent this is by simply checking if the humanoids ancestry has changed or not.

1 Like