Take into account that I’m new to game security.
So, I just had an idea about game security. What if I placed a RemoteEvent in ReplicatedStorage that could only be fired via an exploit on the client? I could give the RemoteEvent an enticing name like “GiveMoney”. Then I could log which player fired the remote. Obviously, I know not to leave any abusable remotes, but the exploiter wouldn’t know that. I think running sanity checks along with a system like this in place would be beneficial.
Although, I think punishing the exploiter right away would make it obvious that it was a trap. I think a better way of dishing out punishment would be something like this:
Log the exploiter > Actually reward the player in-game currency > Slowly break the game for them so it becomes unplayable
Though I do suspect that they’d catch on eventually. Maybe a system like this would be better implemented in a scoring type of system. Example, if a player randomly travels quickly across the map it could be due to an exploit or due to Roblox’s wacky physics. The player would then be logged as a potential exploiter and have one strike against them. Then if they received kills too quickly they’d have another strike against them. And lastly, if they fired the fake remote you’d be for certain that they’re an exploiter.
I’m curious if this would be a viable tacit. I’ve never seen anyone talk about this before; I’m eager to hear everyone’s thoughts.
I always add bait remotes to my game as lure for noob exploiters. It never makes a huge difference, but it is always nice to see someone fall for it.
I believe the idea about the remote event in replicated storage as bait, is called a honeypot; but just know this has been used many times, so “GiveMoney” isn’t really all that an enticing name to smarter exploiters nowadays. Though, it will work on some nonetheless. I’ve never actually heard about rewarding the player when it’s fired before, and I do like that idea. Instead of slowly breaking the game, I would suggest counting how many times they fire the remote, because once they know it works, who wouldn’t be greedy for more money (if yk what I mean). Then if it was fired at least 3 times or whatever amount works for you, then you can ban them or maybe take away all their money. Because at this point, it’s obvious they are exploiting lol.
I have a similar system to your scoring-type one and use this in my anti exploit for physics-based detections, and I have never seen anyone else use it. I call it the demerit system, and basically, on each detection for a potential exploiter, I add (depends on what exploit was detected, ex: speed = 1, no clip = 1.5, flying = 2, etc) demerits to their existing count. Once they reach a certain amount or range of demerits, then I respawn them on each next detection.
I didn’t realize it what that common, I’ll be sure to come up with a better name to bait the smarter exploiters.
That’s a solid point, I’ll definitely be adding something similar.
The typical terminology for this is called a “honey pot”. This is a very effective method and I can say from my personal experience of Roblox Uno that honey pots do in fact work. However, a much more effective method for obfuscation is simply randomizing your remote names through a central library or framework, and then add hundreds of honeypots / fake remotes to further increase to effort to exploit the system. The key thing to remember is that security by obscurity is never a a surefire way to prevent exploits - it only makes it harder to find them. Always use sanity checks regardless.