My game, on occasion, has been getting exploited by some guy who forcefield’s himself and causes an explosion around him.
I’m not entirely sure how this is possible as the game is filtered and I don’t have any remote events that can cause this, so I’m grateful for any help that can be provided.
It is possible that your game has a backdoor in it. Have you used any free models or installed any plugins recently?
I’m not a coder, but the only explanation to this is that there’s a backdoor in one of your scripts that they’re using. That backdoor might be hard to find though, without the actual script they’re using to explode and FF theirselves.
I haven’t inserted any free models or used any plugins that I didn’t find on the devforums
Would restricting using a force field or explosives alter the gameplay by any chance? If you wouldn’t mind linking the game that would be greatly appreciated.
Whether it alters it or not, it is still very annoying and the back doors should be eliminated.
It wouldn’t affect gameplay at all, it’s a wrestling game
I recommend going through EVERY script of yours, especially ones in models. Also, make sure the LoadStringEnabled (property of ServerScriptService) is disabled.
Couldn’t you just detect the force field being triggered and have said exploiter removed?
An exploiter shouldn’t be able to insert ForceField objects and Explosion objects on the server in a Filtering Enabled game. Double check if your game’s FE is set to true, I believe it sometimes turns to false for no apparent reason.
How did you find out that the exploiter is using forcefields and explosions? I tried creating explosions and giving myself a forcefield to make sure that these objects are not replicated, these are only seen to the exploiter and not other players.
I’ll attempt to do this while still searching for any possible backdoors, would I have it check for a forcefield being spawned into the character’s model from the client?
I suggest that you wouldn’t do this on the client. The client can bypass most if not all security on their machine.
To add to this post, any anti exploit things should be ran from the server to prevent modifications as the server is encrypted. The general rule is to never trust the client.
Do you have any admin commands? My theory is if an admin command script does a client-sided check for an owner, the exploiter can easily bypass this and access the commands.
As a rule of thumb, NEVER TRUST THE CLIENT! (just realized @waterrunner said the exact same thing… oops)
i’ve had EPIX/EISS admin commands in the game for the past 2 years
This sounds ridiculous, but disable them and see if the exploits persist. This may be your last option though.
Maybe, recently, a vulnerability in these commands were found and the exploiter exploits this. Just a theory though.
Also, if you rely on these for ban scripts, you should always build your own.
Since this exploit is theoretically affecting other players, this is probably a backdoor. On the server, create a script to run this code
game.DescendantAdded:Connect(function(Descendant)
pcall(function()
if Descendant:IsA("ForceField") or Descendant:IsA("Explosion") then
Descendant:Destroy()
end
end
end)
This will destroy any ForceField or Explosion object created on the server.
This is only a temporary fix in this situation. Do not rely on this permanently.
This would work but not get rid of the underlying problem. It’s always best to find and eliminate the source.