Hey everybody, I’m currently making a new weapon system; however, I am having some difficulty with one area. I need help creating a ballistic system that also allows me to check on the server to prevent exploits from just firing the damage event and killing everything. Any known methods are welcome, I just need a reliable method of doing the server check!
The issue with running all the ballistics and raycasting on the server is that there will always be latency going from the client to the server, so the raycast will never hit true to where the mouse was when you shot on the client. You will always have to shoot in front of the person. Not good gameplay experience.
You either suffer from a security vuln and risk players quitting due to the game being unplayable or live with a bullet taking a while to actually fire due to ping
2nd option shouldn’t cause too many issues because Roblox already handles region-selection for you, so its the best one imo
The way other game engines do it is that they record every frame each player’s position. They keep a cache of the last couple seconds of this data. Then when I client sends a shot request, they take the player’s average one way latency and rewind all the player’s hit boxes to where they were for just a moment to perform raycasts. You may need to interpolate between frames.
Couldn’t this be exploited though? If you’re saving each frame, that has to be done on the client, so shooting it over to the server to be checked would allow exploitation?
The way that I like to do it is via casting the ray on the client and then doing sanity checks on the server. But ben, I hear you cry, this sounds stupid because of the security issues! Luckily, we can just do sanity checks on the server and check whether or not that ray would hit the player. The only issue we’d have to deal with now is aimbotting, however that’ll exist whether or not it’s done on the server/ client.
Here’s a step by step way of how I do my guns:
User clicks and fires the gun
Ray is casted on the client and some client sided checks are done (not many though, as it is the client)
Create the bullet for the client
RemoteEvent is fired
The server is provided the rays results, the player who fired it and the player who’s supposedly been hit
If the server thinks the hit is correct, damage them
What would the server check for. The process is very simple to think up; however, actually doing the checks is what I need help with. How do I check to make sure the hit is accurate, and not just the event being fired by an exploiter setting random values into a table on the event that would make the server believe it’s correct? As the exploiter, I could make it appear to the server that I was in fact 3 studs from the other player, and there was nothing between me and them, when in reality, I could have been on the other side of the map between a ton of obstacles. That’s the big issue.
Movement is replicated from the client, so yes they could arguably teleport however they can’t trick the server into thinking they’re somewhere when they aren’t. If they could, flight exploits, no-clip, etc would be impossible to get rid of. Besides, if they can trick the server into believing they’re somewhere when they’re not, a simple anti exploit script which logs the player movement could detect the anomaly.
The snapshots are on stored on the server, and are where the server saw the players at that time.
As mentioned in the messages above, you can have the client perform the raycast first and then tell the server what part should be hit so only that part needs to be sent back in time, but this wont always work because the client’s state may be a bit off from how the server state, perhaps due to another player jumping in the way.
The issue with this method is that players can overly inflate their ping by introducing artificial lag. I don’t think this is much of an issue of Roblox though.
But at the same time the point still stands with latency. By the time the server listens to the event, that player could be sprinted away and are several studs away from where they originally fired so this won’t work either. All you need to do when you fire the event as an exploiter is set it so the raycast originated from their position and that it hit, but the server won’t know exactly where they were because no they’ve moved. No reliable way to check the raycast.