Help in creating a server-sided movement validation system / anti-cheat

Hey there!

I’ve been attempting to create an anti-cheat around Roblox’s humanoid for a while now. I’ve made multiple server-sided anti-cheats over the past year, and have gained a lot of experience. I mainly made them out of fun and love the “cyber security” aspect (if you want to call it that). With each iteration I’d make, I would try to come closer and closer to a 1:1 movement validation system. An anti-cheat which would theoretically determine that a player is moving in a way that isn’t possible within Roblox’s physics, and effectively stop any movement exploit. However, this is where I hit a bottleneck.

Now, before I go on further, I already know about server authoritative movement and Chickynoid. However, my little pea brain can’t really scratch my head or have the time to make one, nor does Roblox’s engine really allow for it properly. Another part of me also feels like there’s potentially a better (simpler) way to achieve something LIKE Chickynoid, which is why I’m making this post!

Back onto my situation, I ended up making a fairly good anti-cheat - being able to detect only a 2 stud difference in velocity on an X, Z axis, which is completely lag compensated. As well as being able to detect pretty much all fly’s by calcuating a player’s max possible air time (I’m sure Y-Port fly’s would bypass?). The thing is, that’s only cool until you realise you need to account for Roblox’s weird humanoid quirks, and part velocity that changes the player’s velocity, and the player’s being able to boost off of random parts, or the fact that you realise you’re using something on your server-sided anti-cheat that an exploiter can spoof from their end, then you make a whole new function to determine something Roblox has already calculated for yourself since there’s a massive security flaw, and it all just gets so… inconsistent. You also end up creating a cluster of leniency where it just feels like you’re just patching bug, after bug, due to the inconsistencies of Roblox’s humanoid. (Oh and collision… It’s tough trying to lag compensate a no-clip check. Unless anyone has any ideas?)

So, what am I trying to propose, or ask for help here? Well… Is there a better way? Would it be better to make an anti-cheat using your own custom physics controller? With this physics controller, could you re-simulate this movement within the server instead of relying on client inputs and all this - “networking jazz”? Is there a simpler way to create server authoritive movement? I’d just like some advice from someone experienced in this field, and what worked for you. Where should I go from here?

At the end of the day, this is just a passion project, and I find it interesting. I’m not doing this for a game (as most people are), I’m just creating it out of the enjoyment I get - a sense of achievement. If anyone wants to spread any light in helping me create a 1:1 movement validation system of SOME sorts, or their own advice on where to go from here, please pop some advice below!

Thanks!

(apologies for the long post)

If you don’t know where to start and don’t have a use case in mind it’s not a good project to work on. Obtain one or the other.

Like @azqjanna said, without a goal, it is hard to get anywhere.

Roblox recently introduced physics based avatars with controllers:

Will these help/hurt your cause?

Well the goal is pretty simple. As I stated in my post - to create a 1:1 movement validation system or in simpler words, prevent all movement exploits.

Thank you for your response. This is exactly what I’m trying to figure out as I said in the post!

I’ve been trying to do the exact same for my server anti cheat and holy god I want to pull out my hair. I literally have 62,000 lines of just pure maths and raycasts calculating everything we’re talking Euler Lagrangian mechanics approximations with quaternion rotations to account for Roblox’s weird quaternion interpolation quirks during movement. I had to implement my own differential equation solver using 4th order Runge Kutta integration because the standard physics propagation doesnt properly account for temporal discretization errors with lag.

The system was quite accurate for normal players around 96% prediction accuracy but then I found out about TAS which flagged pretty much every check. Basically TAS is a tool assisted speedrun that abuses the quirks of roblox physics without exploits: https://www.youtube.com/watch?v=9OkEYpQilxg

After that mental breakdown I started from scratch and ended up creating my bloody math formulas from data collected from running millions of bots in different physics scenarios. I’m talking eigenvalue decomposition of covariance matrices from multidimensional movement vector spaces to find statistical boundaries for legitimate player behavior. Had to implement a non parametric kernel density estimation algorithm that dynamically adjusts its bandwidth based on part velocity distribution to handle the bimodal patterns that happen during wacky movements.

Finally got my server AC that no longer flags any sort of tool assisted movements but is still strict enough that exploiting has no benefit. The secret was abandoning pure deterministic physics modeling (and my sanity) and instead using alot of analysis.

Short answer no its not really possible to make a 1:1 physics emulation because Roblox’s underlying physics engine itself has random elements and makes no sense.

This sounds absouletely insane. How did you come to figure out all of this? Is it fully lag compensated? How are you handling the lag compensation? What prediction models are you using? I have so many questions. Even though you did say it’s not possible in your own words, how close would you say your anti-cheat is to having a 1:1 physics simulation? Would love for you to go more in-depth! If you’re comforable sharing of course

P.S I did not even know about TAS, that’s defo putting my morality down a bunch…

Well for lag compensation its quite simple on the surfance anyway its taking the ping then multiplying it by the calculated leeway but I do limit it to 15% max extra leeway to stop any sort of fake ping exploits from having a meanful impact.

As for the maths side alot of my friends/family do cryptography, nuclear physics bio engineering etc so I know alot of maths from them and Google.

Aslong as the physics is simple enough like conveyors, trusses, spinning parts, etc the ac is 1:1 but when you crank these values up to 10,000 and above or have wacky body movers, custom shapes, large avatars etc the maths start to break and its starts to over compensate.

As for going more in depth I’d be here all day trying to remember why I use such x formula for x situation but the main reason for even having all this maths in the first place is because I can’t trust the values Roblox gives me like Hrp.Velocity because they are done on the client and easily spoofable by exploits so I have to go off and try guess the velocity in every possible situation and sometimes (like when you jump under a low part) your velocity goes to infinite making life so much harder.

I’ve also tried server side characters in Roblox and while it works perfectly and is 1:1 because its Roblox physics the simple fact is that there isn’t enough computer power (even with actors) to handle each character and still have room left to actually make a fully functional game.

Best public server ac I’ve seen but still has its flaws: FJ's (Experimental) Character Anticheat

Oh I see, that’s interesting. I tested out the anti-cheat you sent, and it seems to false flight quite a fair bit. Understandable it’s a demo, but it doesn’t seem to handle edge cases that well or maybe I’m lagging? In that case it would just be a lack of lag compensation.

Onto your lag compensation, how do you determine the player’s ping? Through remove events? If so how have you prevented abuse and stop possible spoofing?

Would love to know!

I just use GetNetworkPing but this is coming from the client so add upper limits to what sort of leeway you give players.

As for FJ’s ac its the best I’ve seen in years which says alot but yeah even then its still not perfect but its a hell of alot better than other server acs with just a max airtime checks.

Oh right okay!

Yeah, it seems pretty decent. Airtime checks are not the problem though. It’s max air time checks, which are. Air time checks are very effective if they are well lag compensated and actually DYNAMICALLY calculate a player’s max air time based on the current scenario imo. Stop’s pretty much most flights, just depending how you calculate falling, since you could technically Y-port fly but one of your teleport and/or jump checks should catch that.

I’m still wondering where I should go from here still… I wish someone had some advice that isn’t just “stop, it’s a waste of time.”
Which yes it is, but as I stated in my post, I’m doing it because I find it interesting. So why not?

Anyways, still kind of on a road block still…

Yeah proper dynamic air time checks are perfect at stopping air walking, slow falling etc but so many games just have a 5 second max air time with a raycast downwards to find a platform which is fine… until you’re falling for a long time or on a edge of a platform.

As to where you should go from here it depends on you’re game, if you’re game is a simple obby just have noclip, rotation checks and a dynamic airtime check that gets nearby parts and takes into account their velocities etc same for speed but just for XZ axis. But if you’re game is a fps based one like Arsenal or Phantom Forces where even a 5% boost in speed or airtime gives a huge advantage thats where it gets extremely hard and I’d lean towards server side characters (which roblox should provide soon enough, called AuroraService)

Okay, thanks for your help Xiofail, much appreciated! Did Roblox ever provide an ETA when AuroraService will come out?

Not that I know of, but knowing Roblox maybe it’ll get announced in this years RDC event and then finally release may-june next year