I’m making a PvE game and in order to have hitboxes that feel accurate I would like to client-side them. The issue with this is exploiting, obviously an exploiter can just block however I am communicating hit detection back to the server to never take damage. This wouldn’t be a major issue if it wasn’t for the structure of my game: as long as one player survives a round the entire server “wins”. The rounds keep getting harder (and by extension giving more rewards) until either everyone dies or the players beat a final extremely hard round. An exploiter could wreck the progression for the entire server as they could give everyone a free ride to getting super far into the game, even worse the players are incentivized against reporting this because they get rewards for beating hard waves so the exploiter is actually helping them.
Any form of antiexploit I can come up with involves some sort of server-side check which doesn’t solve anything, no matter what check I do server-side it can’t account for latency and desync so it isn’t able to distinguish a laggy player from an exploiter; if the server was able to properly do these checks I’d just handle hitboxes serverside.
has anyone figured out how to solve this or have any ideas? I figure it must be possible otherwise combat games wouldn’t be possible.
There isn’t really some magic solution to this sadly, most games rely on ping and server-side positions.
Possible solutions
Anti-cheat against teleporting on the client, and to prevent exploiters from just deleting it, script it in roblox’s PlayerModule.
If you’re not already, handle both attacking and being attacked through the same remote event so exploiters cant completely block the signals without “ruining” the game’s playability.
Going the more extreme route, you could try handling everything through one remote event, practically disabling exploiters from throttling the remote event
These aren’t very good solutions.
Modern exploits have several methods to hook functions and manipulate values, and they can choose what to block, send or modify even in a single remote.
You can have some level of lag compensation on hitboxes with Player:GetNetworkPing() and adding more leniency on top, though obviously this isn’t a perfect solution.
Depending on how characters in your game can move, you could probably implement a server-side speed and teleport anticheat too by calculating their average speed over the span of 10 seconds or so.
The best you can do are server sanity checks when sending the hit information to the server, for example, range checks, cooldown checks, check if the player has the ability or not and you could account for some lag by using Player:GetNetworkPing() as @Nowoshire had said
You could also check modules like chickynoid, which do custom character replication hit detection etc…
Overall, there isn’t any way to completely stop hackers as most of the time they’ll just find a way to bypass your game’s sanity checks but the best we can do is prevent most of them
Take a look at phantom forces for example, the amount of hackers on that game is insane, though thankfully it has a vote kick system in place
I’m not aware of any available executor docs that aren’t years out of date, but common hooking functions include hookmetamethod, hookfunction, and getgc (for manipulating values inside scripts).
I think I’m probably gonna just have to go with making it as much of a pain in the ass to bypass the hitbox relaying as possible, as @Dankinations said. I believe if I make it hard enough it should hold up as long as I don’t get a crazy playerbase and if that happens I can hopefully just hire out a more experienced scripter who has a better idea of how to solve this lol.
I also realized I can incentivize reporting. If I offer a reward for doing a report on a player that is eventually banned hopefully people will decide to report instead of letting the exploiter farm.