Exploiters have been a major problem on Roblox for so long. Games like Natural Disaster Survival have sometimes become unplayable due to the abundance of exploiters. I made a game with friends when streaming to them on Discord where we try to last in a server for 10 minutes without an exploiter and see who can do it first. Going through ~10 servers before I see a server without an exploiter is genuinely baffling.
The problem that I see is not that people can just easily create new accounts, but the lack of prevention in the first place. I do think that Roblox should require a verified email by default, but I don’t think we need anything further than that. Heavy restrictions to the average user are not the best way of handling it even if it will help. It’s a double-edged sword solution. Instead, Roblox should be focusing a lot more on ensuring there is more prevention to combat exploits instead of focusing on account creation.
I also see that it is sad that we have to rely on something like Chickynoid, even if it’s a well-made system to combat it that I do recommend using for the time being. Roblox needs to focus on working with first-party solutions like native server-authority characters instead of relying on third-party solutions. I do know Roblox has it on the roadmap, but I see Roblox focusing more on other things.
The ban API is a good step in the right direction, but it requires the developer to actively add bad actors to the ban list. Preventing exploits is more important than stopping exploits already happening. Once your experience is ruined by exploiters, there is no way to get it back. The best thing we can do for now is create your own anti-cheat systems.
Also, I hate people saying to not bother with making your own client-sided anti-cheats. It’s okay to have a client-sided anti-cheat in your game as it can deter most exploiters as they most likely just got the script off a random website. A server-sided anti-cheat should be mainly used for picking up the pieces that the client-sided anti-cheat misses in case the client-sided anti-cheat is bypassed or if something isn’t detected. Client-sided anti-cheats are like locks; we use them for security despite them being able to be lockpicked, but not everyone knows how to do that or will try to learn how to. Having no lock at all or having your door wide open is inviting people to just come right inside.
It is impossible to stop exploits permanently. It’s a constant cat-and-mouse game. The only thing we can do is ensure there is a way to stop most of them and then try to get rid of the rest through bans or other punishments