How to prevent this exploit?

I suggest that you wouldn’t do this on the client. The client can bypass most if not all security on their machine.

To add to this post, any anti exploit things should be ran from the server to prevent modifications as the server is encrypted. The general rule is to never trust the client.

Do you have any admin commands? My theory is if an admin command script does a client-sided check for an owner, the exploiter can easily bypass this and access the commands.

As a rule of thumb, NEVER TRUST THE CLIENT! (just realized @waterrunner said the exact same thing… oops)

i’ve had EPIX/EISS admin commands in the game for the past 2 years

This sounds ridiculous, but disable them and see if the exploits persist. This may be your last option though.

Maybe, recently, a vulnerability in these commands were found and the exploiter exploits this. Just a theory though.

Also, if you rely on these for ban scripts, you should always build your own.

Since this exploit is theoretically affecting other players, this is probably a backdoor. On the server, create a script to run this code

game.DescendantAdded:Connect(function(Descendant)
    pcall(function()
        if Descendant:IsA("ForceField") or Descendant:IsA("Explosion") then
            Descendant:Destroy()
        end
    end
end)

This will destroy any ForceField or Explosion object created on the server.

This is only a temporary fix in this situation. Do not rely on this permanently.

This would work but not get rid of the underlying problem. It’s always best to find and eliminate the source.

I agree, but until he can figure out the backdoor, it would serve as a temporary fix.

Does this game have Team Create enabled? It could have been somebody else who has inserted a free model or has a malicious plugin installed.

Wasn’t Experimental Mode removed a while back? Even if FilteringEnabled is set to false, the game should be FE.

Team Create is enabled, but the only accounts added are my other accounts for when i want to edit “incognito”

I would recommend using Kronos to find backdoors. Also make sure that any of your team create accounts weren’t compromised.

I do not know what game it is but…
Try using search in scripts at required
maybe that works. I know where backdoors are placed on most popular ones
But I don’t know how to remove some

Hmm, I still get this kind of behavior

Edit:
Will post a bug report if I find out it’s caused by studio and not team create members.

Weird. According to this experimental mode was discontinued. Maybe Im reading it wrong .

No backdoors were found in the game according to the plugin.

image791×150 36.2 KB

and i searched require throughout the entire game and none of them seemed out of place

At this point, I see no reason to not try the above. To me, it seems it has to be the commands.

Edit: What you can even do is use the above script that @wevetments made and change it to detect if anyone spawns explosions (disregard the forcefield as it may spawn for a second when the character spawns/dies).

going to try this & revert to the old person299 admin script until i create my own

I recommend disabling all admin, even just for a few days, to see if the exploiter can still do his thing. You can still kick and kill people through the Developer Console if necessary.

Also, you don’t need to make your own admin, just make your own ban script. This way, if the admin commands catastrophically fail, your game is still safe as your code still doesn’t allow the banned players in.

I could help you out, could be a good chance to improve Kronos.
Add me on Roblox so we can talk.