Exploiters keep finding ways to lag game. How are they doing it?

i would geuss theyre spamming something which spawns effects. impossible to tell since i dont know the code tho.

1 Like

maybe try contacting one of them, or buying the script, itself to see.

1 Like

it’s hard for us to help you and diagnose the issue without knowing what the game’s code looks like and how it works, the best thing you could do is to go through every single system in your game and try to abuse it until it breaks/replicates the lag effect. Think as if you are the exploiter trying to break your own game

1 Like

maybe if u use a letter like f or click on screen then they use enum thingy and it uses a loadstring so try and block injections by it detecting code

You could detect when one users ping gets high then loop through the rest of the players to see if there ping is high?

1 Like

Very unreliable, don’t do this.

P.S: For your issue, you would have to debug and find where the issue lives, and give us that code, because we cannot help without it.

I might be wrong, but I think it could be possible for them to spam fire remotes?

1 Like

It’s tough to pinpoint the cause of lag without the game code, but it’s likely related to remotes.

One common reason for lag in games is done by remote events that don’t have any rate limits. You can prevent this by implementing this module.

Another issue happens from sending invalid data types through remote events. Imagine trying to perform arithmetic operations, and an exploiter sends a lengthy string, causing unexpected problems. To stop this, try using this runtime typechecker and read up on how exploiters can manipulate strings to disrupt your game here.

While less common, exploiters can spam play animations, triggering signals like Humanoid.AnimationPlayed rapidly on the server. If you use such signals, keep an eye out for constant spamming or unused animation IDs.

1 Like

I don’t know much about preventing exploiters, because I never really had to do this in my games. However, I think you maybe could add the :IsServer() and :IsClient() to implement small security measures to your game. It won’t help a lot, but I think it could be useful.

if game:GetService("RunService"):IsServer() then
    -- do code here.
else
    warn("Player is trying to access Server Script!"
end

Players exploiting might attempt to execute server-side scripts from the client side, so including these conditions can be helpful, maybe?

I’d suspect they are spamming your Remotes, this sometimes also happens with auto clickers for example, where they would just fire the remotes so fast it would start delaying the responses.

1 Like

You can’t execute code on the server as a user even with an executor. If this was possible you could just give yourself everything by abusing datastore’s

But you can do it with certain exploits though?

Unless the game has enabled loadstring which can only be turned on by the server then no

Exploits generally take advantage of vulnerabilities of the game’s code, then if the game code has the vulnerability to, exploits can actually execute server scripts

That’s why you can make use of server-side validation

No it is impossible to run your own code on the server without loadstring enabled even server scripts can’t run customly injected code without loadstring enabled. Most you could do is fire remotes which trigger some code that is meant to be there

1 Like

If the script is at the workspace, you can access it?

Yes but you can’t run any custom injected code

1 Like

If you really want to try. Make a completely fresh game ( add some stuff into server storage)then during a play test as the user make a server script anywhere and then try get it to view everything in server storage

1 Like

I personally kick users that go over my rate limit and ignore invalid requests. Though I do log such and check later to make sure they’re not invalid by my own mistake.

It still happens quite often despite all the anti exploit stuff Roblox has made. Remotes to watch out for are especially the remotes that do stuff that can build up on memory or replicates to other clients.

I’ve helped small games before who had no protection on scripts that ran Player:LoadCharacter() and calling it 500 times in a split second was enough to crash studio.

It usually is memory or network traffic issues if the effects aren’t that visible. In such a scenario all users might lose connection to the server at once. Or might experience a high ping or unresponsive behaviour.

If it’s lag where your frames drop; then it’s often too much effects on the client lagging the client.

Another thing thay could happen is a rare case scenario where your code has a bug that occurs rarely, but once it happens it’s destructive.
I had a case where I had a Base93 encoding algorithm, but inputting the number 0 would crash the server; any larger number into the millions wouldn’t and would just make the output string larger. But 0 happened in rare case scenarios. All thanks to me copying javascript code to luau and forgetting arrays start at 0 in javascript and at 1 in luau.