FE-bypassing exploits are much easier to detect and patch though 
If youâre testing for Robloxâs bug bounty, you should test on your own places. Generally speaking, Robloxâs h1 is more for general security vulnerabilities- not lua exploits (send those to Exploit_Reports).
Robloxâs H1 program only just became public recently and is intended for genuine security vulnerabilities; not skids or game cheats.
I totally agree, however, the exploiters that I know of only go on other developerâs games to test API or loadstring based attacks, and some actually have an âexploit as a serviceâ model which they advertise to developers that need help with making, or testing antiexploit scripts, rather than to annoy or troll people like âskidsâ do.
Very imformative⌠Btw How do i do to save my game from exploiters? Do i need to hire security scriptors?
As said many times before, you canât 100% secure the client. But, you can always secure the server. You can have scripters add some anti-exploits on the client to help with some
exploit prevention, but a dedicated exploiter will always be able to circumvent these scripts.
Not gonna lie, you are kinda just stating the obvious here. Synapse is engineered in such a way that it is pretty hard to get round it. Unfortunately, there is no way to stop these exploits indefinitely. The best thing you can do is watch the players movement on the server, if you arenât experienced in programming then I suggest taking a look at this. While it is experimental, maybe you could polish these rough edges and maybe learn something from it.
Thatâs so weird to me that such a high number voted against this! We need to be able to learn all we can if it is our own game on the line. Roblox does a certain amount to prevent this but we still end up having to do much more. Please do give us this information since documentation is hard to come by!
Iâve seen a lot of attitude that nothing can be done. How can that be the answer? That sets you up for 100% chance of failure. âNothing can be done so itâs best just to let the entire platform be ruined by exploits, bots, and copies.â
Based on what the poster has said, they are not bringing anything new to the table. This one has a whole section discussing place stealing already. You canât stop client-sided exploits because they run on the client â there will always be a way around for exploiters because they control their own device. Geometry and local source will always be up for grabs since the client needs to have a copy of it.
I applaud their attempt to share knowledge though!
Iâd like to see what the poster has to say in long form because when you are starting out developing on Roblox itâs not clear how many ways your game can be messed with. There is no one saying btw, the models and plugins on the official marketplace have viruses. Then the virus scans donât really do anything, not like a real virus scan anyway. Thereâs all kinds of things that end up happening, some of which makes national news or goes viral on Youtube.
We are on our own with these problems in many ways and with little documentation. Perhaps the OP has some secrets.
I still feel like doing it, I am thinking of releasing a anti exploit to the public anyway, It stops exploiting but it probably wonât last long as exploiters might get around itâs frame work.
A lot of people have made attempts to stop exploits with various client-sided ways. Most of them can be bypassed by exploiters, while the rest usually only works in isolation, not in an actual game, or tends to have false positives.
If you search around on the devforum, you can find ideas such as detecting memory changes, output messages/errors, and other similar stuff which you rather shouldnât rely on. There are also other methods which do work, but only check for certain cases, i.e. whether a specific function acts differently than it should, which might never be the case if the exploiter knows what theyâre doing.
That being said, I donât think anything super new can be figured out. The only case of client-sided anti exploit Iâve seen to give exploiters a headache was an obfuscated WalkSpeed check script which checked the speed of the running animation, and used OnClientInvoke as a form of a return check.
tl;dr focus on server checks for now, use devforum resources to find examples of i.e. a server-sided anti speed and learn how it works
It is absolutely possible to write a "cheat free"player controller for roblox, Iâve gotten it working a couple times now. However, only having access to raycasts and not better sweeps makes writing one as good as the original humanoid really difficult.
This means you can have a game where the movement is 100% unhackable, but they could still aimbot or esp.
As long as it is server-authorized and client-predicted, sure. However if the client has full control over their character movement and the server does not check whether the movement is correct, then just because it is different from the default avatar movement does not mean itâs automatically âcheat freeâ.
If it runs on the client, it can and will be exploited. Using non-default systems just makes it more tedious / harder for exploiters to do so (i.e. youâre raising the bar, not making it impossible to reach).
That is exactly what Iâm doing 
To put it as simply as possible; I only send client input to the server, the server sends down where you ended up, and then you fast-forward the remaining input to end up back exactly where you should be. Same as every first person shooter in the last 20 years has done it 
You have to do a fair bit of proper engineering to make this work, but Iâve proven out its possible. Would have been a LOT easier if I had access to a swept sphere or capsule check, because fast forwarding the player to where they should be has to happen all on a single frame once the snapshot comes down, meaning you canât use the roblox physics engine for collision, in fact you can only really use raycasts.
Yet another unfinished project
Is it true that Exploiters can not steal your whole game and leak it? I heard in the past some exploiters have stole friends of mines maps.
They can only steal the geometry (parts) and eventually LocalScripts & ModuleScripts. What they cannot steal is your server scripts (without which the game is useless) and also the contents of ServerStorage and ServerScriptService.
This was an amazing post. Iâm starting to understand how this whole exploit thing works and itâs awesome Roblox is trying to do something about it. (I just wish more people will realize that one day)
Unfortunately there are ways to steal an entire place if you know the place number. Iâve seen it in action and doesnât even take much to do. Iâd gladly show a Roblox staffer the link but I assume they know about it.
Iâm hopeful but skeptical they can stop it⌠at its core the entire platform is a web server so serving files is the whole point.
My other question is have they made a plug in to prevent them from even stealing your game in the first place? Will they is what I am questioning. I also seen plug inâs saying âAnti Save instance game steal plug inâ. This was on roblox when I saw it I was afraid to use it because I do not my stuff stolen could someone explain?
