Exploiters are able to trigger .touched events on other players

iUnstable0 · December 30, 2021, 12:32am

its already 2 month and this have not been fixed, exploiters can still fire touch interest.
Also from searching I found out that exploits have a special function firetouchinterest which if you specify the root part and the part to touch, it will fire a fake .Touched event which the thing you specified

e4r54yt64rtq26 · December 30, 2021, 1:19am

Exploiters can teleport unanchored parts (Because you can gain Network Ownership of them, when you gain Network Ownership, your client can move that part that you have Network Ownership of), Here are 2 solutions I thought of:

You constantly set the Network Ownership of those parts to nil, or you just anchor the parts.

MILLENNlA · May 2, 2022, 4:13am

This is starting to occur once again. Please, guys, get it together! Many community-based groups that rely on these types of things are unable to function properly (competitive games) as not all things can replace .Touched.

I’ve personally tried looking into various alternatives on how .Touched could be replaced with a coded alternative, but it just doesn’t work the same way.

Exploiters have access to manipulating this event in the best way possible and there really is no way to prevent it in most cases.

jsnotlout1 · May 2, 2022, 6:25am

Make a check on the server-side of the part.Touched detection tha checks the distance between the player and part.

Dev_Sie · May 2, 2022, 6:54am

Did you not read the replies???

jsnotlout1 · May 2, 2022, 7:51am

Not entirely, I was just trying to help. Next time I will be more thorough.

bubshayz · May 2, 2022, 8:23am

One way you can go about solve the vulernability of Touched events by simply performing a simple geometry check on the server by Workspace:GetPartsInParts and check if the “hitbox” is touching the valid target, once the event fires.

My reply to this thread I replied to demonstrates how to use this new method. Please do note the following problems with the approach I’ve quoted down below:

Complete guide of how to make an anti exploit!

If a player is having a poor frame rate, then the player’s hits will not likely be registered on the server, since the replication frequency of the player’s position to the server will be slowed down.

Again, if a player is experiencing high latency, the same problem mentioned above will be faced.

Even if both the cases are not a problem, if the player is moving their melee weapon very fast or them selves are moving very fast, then again their hits will not be registered. This is because of the replication hertz at which position and other data is sent to the server from the client (assuming the player has network ownership of their melee weapon and themselves) , i.e the player’s approximate frame rate, since most replication data is sent every frame .

Exploiters can quickly move themselves to the opponent and then kill them, bypassing this check mostly, except in some cases where they move extremely fast enough to the extent their new position has not yet replicated to the server. You may develop an anti exploit to counter this, but other cases include them moving quickly to their opponent, but just not at a very high speed. Thus, mostly bypassing the anti exploit it self! You cannot handle this your self reliably…

You may try to account for most of these problems by either increasing the size of the hitbox based off of the player’s ping (player:GetNetworkPing), but again this isn’t reliable since the difference between the client’s data and the server’s data will be very different and far from being at least “closely” synced.

MILLENNlA · May 2, 2022, 2:14pm

This is great! Is it recommended to be used in purpose of auto-kicking a player if no parts have been registered by GetPartsInPart() or can it also affect people with lesser/laggier performance that aren’t perhaps using the cheat?

bubshayz · May 2, 2022, 2:23pm

There is no point in kicking the player if you already effectively mitigate the exploit.

MILLENNlA · May 2, 2022, 3:16pm

*not kicking, I meant giving me some sort of detection input

For smaller ranges, it effectively mitigates the exploit, but for higher ranges, I also want to send out a notification to myself out of the game to keep an eye on them in the future (as it’s not meant to be a public playable game, but is a group-related competitive community)

Is it recommended to send out notifications if the player has a lesser/laggier performance?

bubshayz · May 2, 2022, 3:33pm

I would recommend to implement a system to notify your self, only if the player has been registered multiple times (5 is a good amount). It is definitely not wise to notify your self as soon as one does not pass the GetPartsInParts check, in order to avoid false positives in a rare case with this check.

Gojinhan · May 2, 2022, 9:47pm

It would not necessarily be rare per-se. It’s highly possible for a player in America to be playing on an Asian server or something, and then have 300 ping.

Doing a precise geometric check on the server will not register any of this players hits if the opponent in question is actively moving. As the server’s idea of where the opponent is and where the player’s sword is will be way off depending on the ping.

Also keep in mind that this check really doesn’t prevent very much; while it is a good practice, exploiters are still able to just teleport themselves behind you and hit you that way. And even if you had an anti-teleport, they could simply tween themselves to you.

This is a really bad game of cat and mouse, but it’d be also best if you didn’t cripple genuine players that have bad replication lag in pursuit of trying to mitigate this.

MILLENNlA · May 3, 2022, 12:04am

Back at this;

This is such a great solution, but I came across the fact that it still gives false positives when the person swings the tool at someone while moving/rotating fast.

I just wish Roblox would do something about this; I’ve tried your idea and I even recoded the tool with Raycasts, but none of them did their thing.

I’m frustrated; I own a competitive-based group and came across the realization that some people are using this exploit to get ahead of others.

bubshayz · May 3, 2022, 7:01am

Yup - this check does indeed have problems. In the light of Gojinhan’s response, I’ve edited my original reply to point out most of the problems with my approach in detail.

MILLENNlA · May 3, 2022, 6:24pm

@Khanovich Could you please forward this up to engineers again? I rarely get a response in the Engine Bugs category, so I tend to mention any staff members who noticed this issue.

It’s not about the fact that “developers should focus toward better solutions such as Region3, Raycasting and Magnitude”; this issue has made me recode my tools with all 3 solutions mentioned as they’re considered “the best”, yet are unsuccessful/underperforming due to the server’s responsiveness time.

I have tried EVERYTHING (not just me, plenty of other developers have tried EVERYTHING), yet it has proven to be unsuccessful. .Touched is the way to go and is the standard for all basic tools and their basic needs. It shouldn’t just be pushed to the side cause there are other alternatives - it should be prioritized.

I own a competitive community group which has recently had a spike in number of cheaters who are using this form of exploit which technically can’t be detected cause any alternatives/solutions are not 100% precise and can result in with fake detections.

Please, give this thread more attention. It is critical and requires a fix.

buildthomas · May 5, 2022, 1:07pm

This is a solved problem in multiplayer networking: predict actions on the client but validate them on the server. It looks like you only implemented the validation part and haven’t yet done the prediction part.

An example is this:

User picks up a coin.
On their client, immediately render the coin being picked up (effects and such, increase coin counter) and hide it, send a message to the server that you want to pick up the coin.
Server validates and removes the coin from registry and adds it to player inventory.
If valid, all is good, user got immediate feedback and the action was performed.
If not valid, tell the client it was wrong and the correct state for the client and/or have the client revert the action and put the coin back where it was.

You can apply the idea above to any other networked game concept such as firing projectiles, damage/hit/kill indicators, etc.

You are fundamentally never going to solve this problem with just using Touched because physics ownership is distributed. It’s fine to ask for a fix, but that won’t solve issues related to validation because you’re still using physics. You will always need to protect against issues like this with server-side validation.

MILLENNlA · May 5, 2022, 10:33pm

The thing is, I even tried using Raycasts, Region3 and Magnitude, but none of them seem to work except Raycasts (which are delayed and sometimes don’t detect hits on touch).

Goldthyr · August 22, 2022, 7:15pm

Is this patched or is it still exploitable?

MagmaBurnsV · August 22, 2022, 8:58pm

Unfortunately, yes, Touched events are still client-controlled even if the BasePart is completely anchored. I’ve just completely abandoned using Touched events in favor of custom implementations and accepted the overhead of polling the SpatialQuery API because it’s clear this behavior isn’t going to change anytime soon.

JuniorMikezz · February 2, 2024, 10:17am

Any update in regards to when a patch for this behaviour will be delivered?