How to fix the t shirt purchase exploit for donation games

what we know so far:

  • [problem - for t shirts/ shirts] players can change the price before they buy something in game and then change the price again before pressing okay to trigger productPurchaseFinished.

  • [ffix for gamepasses] how we fix this for gamepasses is getting the updated value of the gamepass and checking if that is more recent then when they joined the game. however, this value for clothing does not update when the price changes.

two things we know that would completely fix this issue

  1. having the updated value actually update on price change.
  2. being able to have access to an event when player presses purchase (this may vary with latency)

we can’t use getProductInfo because the updated value for t shirts still doesn’t update on price change. and the price value may be cached.

we can’t use processReceipt because that’s only for gamepasses and developer products.

sending a remote event to the server won’t completely fix this issue because exploiters can use the event ad prompt themselves.

checking the price again won’t work because this exploit takes place during a time we can’t seem to know whether they’re doing it or not.

we can’t get the updated time stamp from the web page because it has nothing to do with the web page being updated.

we can’t use cache-control header because the updated proeprty isn’t cached. it just simply doesn’t update when price of the clothing changes like it does for gamepasses.

there doesn’t seem to be any meta data on the site that would let us know if it has been updated.

we can’t get the transactions from the user because that requires authentication.

there doesn’t seem to be an api for sale details of the clothing product.

web scarping wouldn’t do any good if there’s not an updated tag in the met data (there was none i could find).

  • [hacky fix] check pending robux amount in the group and compare the price of the item purchased. the issue with this is it is not 100% accurate…

here are some steps we can take to mitigate but may not be full proof.

  1. let the sever know when a player wants to make a purchase.
  2. if the player has prompted themselves without using the remote event then deny the purchase (purchaseFinished would do nothing).
  3. put a debounce on when the player can purchase. if they try to make a purchase during the debounce time we deny the purchase (prucahseFinished would do nothing)
  4. when the server receives the communication that a player wants to make a purchase we add them to the debounce table , we check what the item was prompted for then and we use that price as the actual price they purchased for. not the price that we get on purchaseFinsihed.
  5. have pending robux be on an interval, say every 5 seconds, and store every transaction made sense the last time pending robux amount was updated so you can compare the most recent transactions after every purchase.

and then here’s some stuff roblox’s ai assistant gave me.

  1. Server-Side Validation: Always validate purchases on the server-side. Never trust the client as it can be manipulated by exploiters. When a player attempts to make a purchase, validate it on the server to ensure the player has enough funds and the item they’re trying to purchase is valid.
  2. Use RemoteEvents and RemoteFunctions: Use RemoteEvent and RemoteFunction for communication between the client and server. Make sure to validate all data sent from the client on the server-side.
  3. Monitor Transactions: Keep a log of all transactions. This can help you identify any unusual activity, such as a player purchasing an item multiple times in a short period.
  4. Limit Purchases: Implement a system to limit how often players can make purchases. This can prevent exploiters from rapidly purchasing items to gain an unfair advantage.
  5. Secure Your Scripts: Make sure your scripts are secure and can’t be manipulated by exploiters. This includes using LocalScript for client-side scripting and Script for server-side scripting.

any help or further discussion would be very helpful. thank you

12 Likes

Can’t you verify product purchases serverside? It’s at least possible with gamepasses, is it not a thing for shirts? VIP T-shirts can be used without being worn as far as I can tell. Do you mean changing the price while buying to pretend to donate?

for a second I thought you meant exploiters could fake purchases lol

5 Likes

not on roblox’s side but for the game server they can.

i’m not sure about verifying product purchases. i just know the current fix for game passes is getting the updated property, which holds true for game passes and does not hold true for shirts.

they change the price to say 1 robux before prompting then change it back to say 1,000,000,000 robux before pressing okay. roblox reads it as 1 robux and server in game reads it as 1,000,000,000

2 Likes

Is it the real gamepass price or did the exploiter just change it on their screen?

3 Likes

so this isn’t for game passes. this is for shirts. because the shirts updated property doesn’t hold true.
they change the price on roblox itself. prompt the purchase. then change the price on roblox again before pressing okay. so roblox reads it as what the prompt was for. however the game reads it as what the price was when they pressed okay. because purchase finished does run until they press okay.

2 Likes

Why not spam check price? Every 1 second or 0.5 seconds should be enough because nobody’s that fast (neither is Roblox’s servers). (Check price while prompt is open)

3 Likes

is there a way to check if a users prompt is open on the server?

2 Likes

I guess when opening a prompt, tell the server, then it’ll start listening for purchases and you can buy the thing, while it spam checks until you close the prompt. The game will show the donation as the lowest price found. Or maybe check price when just opening the prompt instead.

3 Likes

but how will we tell the server? if it’s client sided they can just get rid of it

2 Likes

If they delete it the server won’t accept their donation.

3 Likes

like if they delete the event that lets the server know the prompt is fired?

2 Likes

If they delete the event, the server won’t start listening for donations because nobody told it to.

2 Likes

I think you can get price porperty. Heres a Forum telling you about it.

Just get the Original price and compare with current price

3 Likes

aw i see. and you saying this wouldn’t exceed rate limit?

3 Likes

i was meaning like it wouldn’t help in this circumstance because of how the purchases are client sided with roblox core gui but if we do what oddcraft was saying then maybe that would work. as far as i know the price value holds true it’s just not the updated value that holds true. which is a bit weird. and it’s just that way for shirts

2 Likes

I guess you can delete the Ui for the gamepass purchase by checking everytime if this is the same price as its set too. But This might be for billboard UI. Also try some testing with the Price thing, it could work

3 Likes

Oh, so you mean like when they hit okay button then the amount they donated will be added in a number value?

3 Likes

yeah when they hit okay thats what the game registers. when they prompt and hit buy thats what roblox registers.

2 Likes

Wait so are you saying that when the Prompt shows up, its going to be the same price before they changed it or are you talking about adding points to your game when you buy something?

3 Likes

You can use a attribute to store what user is buying at what price.

This basically prompting user to buy that shirt and sending the product id and price to server.

Then server sets player attribute to the asset they are purchasing,
once the prompt is purchased we are checking if assetid is same as the asset player is buying by checking player’s attribute, if its true then we will get old price of the asset and add it in donated numbervalue, then we will remove those attribute once everything is done.

4 Likes