The problem that Roblox has currently is that because of FilteringEnabled now being mandatory for games, the olden days of free exploits now no longer exist, but instead have been replaced with Free FE bypassing exploits, such as the ones you can get from large online personalities (not going to name anyone) that just spread them like wildfire.
Another issue, is that the attitude towards exploiters is getting worse, meaning that exploiters who are doing security research for the HackerOne program usually get abused and sometimes even banned from games they are testing in, before being able to explain that their motives are indeed good.
Another issue, is that despite the HackerOne program being an official program, it is hardly recognisable to the general population, as there is not enough publicity to it, meaning that members of the program are ridiculed for being “wannabe” hackers, when in fact they are trying to stop those exact people.
FE-bypassing exploits are much easier to detect and patch though
If you’re testing for Roblox’s bug bounty, you should test on your own places. Generally speaking, Roblox’s h1 is more for general security vulnerabilities- not lua exploits (send those to Exploit_Reports).
Roblox’s H1 program only just became public recently and is intended for genuine security vulnerabilities; not skids or game cheats.
I totally agree, however, the exploiters that I know of only go on other developer’s games to test API or loadstring based attacks, and some actually have an “exploit as a service” model which they advertise to developers that need help with making, or testing antiexploit scripts, rather than to annoy or troll people like “skids” do.
As said many times before, you can’t 100% secure the client. But, you can always secure the server. You can have scripters add some anti-exploits on the client to help with some
exploit prevention, but a dedicated exploiter will always be able to circumvent these scripts.
Not gonna lie, you are kinda just stating the obvious here. Synapse is engineered in such a way that it is pretty hard to get round it. Unfortunately, there is no way to stop these exploits indefinitely. The best thing you can do is watch the players movement on the server, if you aren’t experienced in programming then I suggest taking a look at this. While it is experimental, maybe you could polish these rough edges and maybe learn something from it.
That’s so weird to me that such a high number voted against this! We need to be able to learn all we can if it is our own game on the line. Roblox does a certain amount to prevent this but we still end up having to do much more. Please do give us this information since documentation is hard to come by!
I’ve seen a lot of attitude that nothing can be done. How can that be the answer? That sets you up for 100% chance of failure. “Nothing can be done so it’s best just to let the entire platform be ruined by exploits, bots, and copies.”
Based on what the poster has said, they are not bringing anything new to the table. This one has a whole section discussing place stealing already. You can’t stop client-sided exploits because they run on the client – there will always be a way around for exploiters because they control their own device. Geometry and local source will always be up for grabs since the client needs to have a copy of it.
I applaud their attempt to share knowledge though!
I’d like to see what the poster has to say in long form because when you are starting out developing on Roblox it’s not clear how many ways your game can be messed with. There is no one saying btw, the models and plugins on the official marketplace have viruses. Then the virus scans don’t really do anything, not like a real virus scan anyway. There’s all kinds of things that end up happening, some of which makes national news or goes viral on Youtube.
We are on our own with these problems in many ways and with little documentation. Perhaps the OP has some secrets.
I still feel like doing it, I am thinking of releasing a anti exploit to the public anyway, It stops exploiting but it probably won’t last long as exploiters might get around it’s frame work.
A lot of people have made attempts to stop exploits with various client-sided ways. Most of them can be bypassed by exploiters, while the rest usually only works in isolation, not in an actual game, or tends to have false positives.
If you search around on the devforum, you can find ideas such as detecting memory changes, output messages/errors, and other similar stuff which you rather shouldn’t rely on. There are also other methods which do work, but only check for certain cases, i.e. whether a specific function acts differently than it should, which might never be the case if the exploiter knows what they’re doing.
That being said, I don’t think anything super new can be figured out. The only case of client-sided anti exploit I’ve seen to give exploiters a headache was an obfuscated WalkSpeed check script which checked the speed of the running animation, and used OnClientInvoke as a form of a return check.
tl;dr focus on server checks for now, use devforum resources to find examples of i.e. a server-sided anti speed and learn how it works
It is absolutely possible to write a "cheat free"player controller for roblox, I’ve gotten it working a couple times now. However, only having access to raycasts and not better sweeps makes writing one as good as the original humanoid really difficult.
This means you can have a game where the movement is 100% unhackable, but they could still aimbot or esp.
As long as it is server-authorized and client-predicted, sure. However if the client has full control over their character movement and the server does not check whether the movement is correct, then just because it is different from the default avatar movement does not mean it’s automatically “cheat free”.
If it runs on the client, it can and will be exploited. Using non-default systems just makes it more tedious / harder for exploiters to do so (i.e. you’re raising the bar, not making it impossible to reach).
That is exactly what I’m doing To put it as simply as possible; I only send client input to the server, the server sends down where you ended up, and then you fast-forward the remaining input to end up back exactly where you should be. Same as every first person shooter in the last 20 years has done it
You have to do a fair bit of proper engineering to make this work, but I’ve proven out its possible. Would have been a LOT easier if I had access to a swept sphere or capsule check, because fast forwarding the player to where they should be has to happen all on a single frame once the snapshot comes down, meaning you can’t use the roblox physics engine for collision, in fact you can only really use raycasts.
Here’s a gif of it in action.
The server is sending down “confirmed” player positions at 10hz (the trailing guy)
The smooth moving player is the locally predicted player, same as most FPS’s use.
They can only steal the geometry (parts) and eventually LocalScripts & ModuleScripts. What they cannot steal is your server scripts (without which the game is useless) and also the contents of ServerStorage and ServerScriptService.
This was an amazing post. I’m starting to understand how this whole exploit thing works and it’s awesome Roblox is trying to do something about it. (I just wish more people will realize that one day)
Unfortunately there are ways to steal an entire place if you know the place number. I’ve seen it in action and doesn’t even take much to do. I’d gladly show a Roblox staffer the link but I assume they know about it.
I’m hopeful but skeptical they can stop it… at its core the entire platform is a web server so serving files is the whole point.