Not only do I agree with the points that OP made and can relate to many of the replies on this thread that not only is exploiting a threat to big games - but it poses a massive threat to community-driven experiences.
For the past 6 years or so, exploiting within community driven experiences such as cafes, clothing groups, and role-play games have gotten worse - for the small guy.
At Bambou alone, since 1/28/21, there has been 4,228 permanent bans - and this is not counting pre-2021.
Us having the experience and the resources to develop proper precautions to make it extremely hard for an exploiter to crash the game or ruin the experience for players has made a big change - but the results above speak for themselves.
The little communities that are trying to thrive and grow who don’t have these resources are constantly abused and battered by experience ruining exploits. I personally have seen small communities give up and die out due to the ongoing abuse.
I have also seen countless amount of times where big group owners(will remain unnamed) are essentially held hostage and forced into giving these exploiters some kind of compensation to stop abusing their game - and these owners, with no experience or tools to combat them, either take a massive loss of revenue or pay out to the exploiter.
This is a big and ongoing problem that has been ignored.
just further proves my point. exploiters just aren’t worth it to them, and they believe it’s the developer’s role to secure their games. they have strange priorities, but they’re not inconsistent with those priorities
Sure, but as per the first sentence of the original post
This is not a post about anti-cheats or the technical aspects of exploiting and exploit prevention.
This post is trying to bring attention to the lack of any moderation and support systems available to developers for combating exploiting. The target of this post isn’t the already heavily-discussed technical intricacies around exploits and security.
If you have technical advice to give I’d encourage you to do as the 2nd paragraph says and make a tutorial in #resources:community-tutorials
I would just like to muse for a moment, although I can’t test any of this.
To mitigate fling hacks:
Client-side, on Stepped, loop through every part owned by other players (i.e. anything that could potentially be used to fling) and set their Velocity and RotVelocity to zero or limit their magnitudes.
This doesn’t catch or ban the exploiters, but makes fling ineffective when someone does use it.
It might also make player movement appear choppy.
This assumes that the game’s owner even bothers to implement any of this in their game, which they won’t.
To climb onto someone’s head even when collisions between players are disabled, add a tool that adds/removes a client-side brick welded to the other player, which you can collide with.
The other player won’t be affected by this unless they also enable collisions with you.
If Roblox ever allows changing collision groups on the client side, the tool should do that instead of attaching a brick.
I agree with this. One of the people in my school is a small developer. He does not know any 3rd or 2nd party things to keep the ban in place. Because of this, he has had to shutdown the game thus stopping his Robux income from his gamepasses. When a person with a premium subscription is in the game.
why he had to shut the game down
This is because a exploiter was using many hacks to make his car do super high speeds. fling people for no reason. teleport around maps. etc. and he got so bombarded with reports that he had no choice but to shut down his game. you are correct. if there was a tool to help deal with exploiters, then he would of kept his game up and got income continually.
I thought I would point out the existence of server authoritative networking, because you make it sound like there is no definitive solution to the issue of hacking. What you are doing right now is taping up the cracks of a broken pipe and complaining that your tape isn’t strong enough, when in reality what you should be doing is replacing the entire pipe with a brand new one.
I think an overreliance on Roblox to suit your every need is not healthy. You should be making feature requests (which I should also mention, this topic is a feature request and thus is in the wrong category) only once you’ve done everything you can (within reason) and found a certain goal to be unfeasible within the engine.
There in fact exists a solution, and it is achievable, as seen by multiple successful attempts at this kind of system. Then, the question should be “how can Roblox make this type of networking more prominent and accessible to developers”, not “how can Roblox help me implement bandaid solutions to this problem”.
It’s really funny and sad to me that roblox hardly does ANYTHING about exploiters, there are so many of them nowadays. It’s literally so bad that people will literally exploit on their main account because they know damn well that Roblox will not ban them or try to stop them from using their scripts. It’s pretty annoying for both owners of big games and the players.
All I can really say to that is I think you’re reading in between the lines a little too much. I feel like I was pretty clear about this not being about the tech involved with security and exploits. The intent behind this post was to display the short comings of other aspects of customer service issues related to exploits.
Again I’m not trying to talk about the car, or what you can do to a car to make it safer. I’m trying to talk about the potholes in the road.
There are better and more visible places to discuss and share best practices for front-line combating exploits than replying to a thread about support systems and moderation.
In Jailbreak, we have a fairly broad set of game-specific cheat detection methods, and are coming up on our 200,000th unique ban within the past 2 years. >99% of these are confident auto-bans. These auto bans only occur after certain confidence thresholds – so I know there is a large % that we are missing. Most of them just create alternate accounts and do it again, rapidly hopping server to server.
It is a tough balance of time deciding whether to tackle patching various generic exploits vs. working on new content/features.
I believe the biggest issue when it comes to exploiters is the fact that they only need to spend 2 minutes of their life creating another account to use to exploit each time they get banned.
In a remote event, it returns the player object.
Couldn’t Roblox also return the file data of the localscript? If it doesn’t match up with the original file then it’s a modified or different localscript firing the remote.
Exploiting is holding the platform back more than anything else in my opinion.
Making a game with any competitive or pvp aspect is basically no longer viable without hiring an entire moderation team and having at least 1 developer dedicated to anti exploits, which at this point just gets you to the bare minimum.
Cheating is so rampant on the site, it feels like most younger players don’t even know its wrong.
Like @LMH_Hutch said, players are simply not discouraged to cheat. And if they do get caught, they can make a fresh account in seconds. It’s extremely discouraging towards creators.
We’ve had to delay major content updates for Jailbreak due to increases in exploits. Exploits are a serious impact to our gameplay allowing players to arrest others or complete robberies automatically. These players then leave, join a new server, and hit the next set of players or stores.
We’ve also had to disable core features of the game because of exploiting. Players are now limited to how much cash they can drop to other players. We’ve had to disable our safe gifting system too, due to exploiters donating safes to their main accounts for easy cash.
I was never fully aware of just how common exploiters are until I started tracking how many people we were banning in my game. In 2 months, we’ve banned over 50,000 exploiters.
And that’s for a non-competitive game. I wouldn’t even bother making a competitive game due to how relentless exploiters are these days.
Thank you for articulating what a lot of us have been struggling to deal with.
I spent more time than it was worth trying to make an automatic anti-cheat system and the trial and error got so bad I just ended up employing a dedicated mod member to run through a ticket system.
Edit: Moderating a player has little to no effect on the sustained amount of reports we get. It very much feels like a pointless battle to fight in.
Here’s a feature request that would go a long way to giving us the proper foundations to secure player movement, without having to radically throw away humanoids or physics or anything extreme like chickynoid does.
This is the one thing that always kept me from creating my own experiences. Just as @Intrance’s example shows - even in non-competitive games, people will still exploit to a degree that is just saddening. The worst part about it? There’s a whole section in the ToS that says that you’re not allowed to inject code into the client and Roblox does jack rabbit about it. This is outrageous! They either should allow white hacking on the site or enforce their ToS. The devs shouldn’t be the ones enforcing those rules in their stead.
A lot of people complain that exploits go rampant in their games, throw around the number of bans, however often they forget to mention the flaws or lack of security in their own code.
Some things I’ve seen certain front page games do:
sending a number from the client and using it in the damage formula on the server without any verification
not checking if a different player’s inventory item was passed to the equip remoteevent, allowing to steal items
not checking if a reward was already claimed on the server, allowing to claim it infinitely
having two damage remoteevents use the same server function and not checking cooldowns in one of them
passing item quantity from the client in a buy/sell remoteevent and not checking for a negative quantity
Those were all present in a few former/current front page games. A few front page games had this kind of flaws. Now imagine if more were examined.
If you’ve heard of the R2DA case, exploiters were able to ban the creator himself from his own game. Do you think that’s a roblox issue? No! It was once again a flaw in a poor code. Having hwid/ip bans would not prevent that at all.
People need to realize that they have to consider security in every serious programming project, whether on roblox or not, instead of jumping on the bandwagon of “give us bans roblox, my game is exploited, look at my bans count” without realizing that it wouldn’t solve issues with their own code.
Also what I mentioned were flaws in code. Accidental ones for the most part. But there are also a lot of simple dedicated checks that some games could implement, and yet they still didn’t for some reason. This is mostly basic cooldowns, range checks, logic checks, etc.
Some people mentioned that creating such checks requires more people and effort. And yet a single The Wild West developer managed to create what’s probably the most innovative and sophisticated anticheat to have ever existed on roblox. Some of their solutions were on par with what roblox does internally. I have yet to see any other game do 1/4 of what they did. That’s the only kind of dev whose game truly deserves access to hwid & ip bans in my opinion.
I’m aware that there are also games which already tried and seemingly ran out of options so hwid/ip bans would help them. Of course I agree. However I feel like a lot of people only came here to vent about exploiters and blame it on roblox, often acting like they know better what kind of measures roblox takes to fight exploits, while they themselves don’t even try fixing flaws in their code or implementing basic checks.
I don’t want to point fingers but i.e. one reply here states that roblox doesn’t do anything at all to combat exploiters. Another reply describes how someone had to shutdown their game because they didn’t know how to save the ban in datastores, and that a tool like hwid/ip bans would’ve prevented that. No it wouldn’t. Yet another reply (whose author claims to be studying dll injection) complains about roblox being able to detect dlls yet being “lazy” about it. If you’re studying dll injection then you should also know that i.e. WinVerifyTrust can easily be hooked, and exploits already do that.
I’ve responded to this kind of reply already but please remember that this isn’t a post about the tech involved with exploits and exploit prevention.
As the second paragraph of the OP states if you have useful advice to give consider making a dedicated tutorial post telling people what they can do better. Tagging on information about tech in a reply on a post about moderation and support isn’t helping anyone as much as it could.
The entire point of this thread is so people can share their experience with exploiting. Skill level does not matter nor does it invalidate peoples real world experience with this issue. Bringing awareness to the shortcomings of aspects not related to anti-cheats is the goal, not putiting people down for personal errors.
It’s not our job as developers to create solutions for every problem we encounter. Asking people to share their experiences is not about opening a forum for individual criticism, it’s about giving Roblox ammo to create features and improve the platform with. Please don’t discourage people from taking part in the process Roblox asks us to participate in.
Most experienced developers know about the common vulnerabilities you mentioned. This thread isn’t about that, and it’s not really the place to try and talk down to others.
It doesn’t matter how tight your game’s security is, Roblox is fundamentally easy to exploit on its most base levels. You can have the most secure RemoteEvents in the world, it won’t stop hackers from using character/physics exploits to break your game in other ways, and many of them are nigh impossible to detect.
