From what I remember, exploiters can edit anything inside of the LocalScript. However, you should probably double check that.
Edit - As for this quote below, you cannot detect something deleted on the client through the server. Think about it this way, I delete a part on my side; the server will still have the part and all other players will still have the part except for me. This is due to the filtering enabled update.
If i recall, using remote events for kicking is not very efficient, an exploiter could easily fire it and kick all players.
You can detect anything deleted under character because it’ll replicate, however that’s not the same case for ChildAdded, that’s why i used a localscript.
I have tested this in studio, it will replicate to the server if it’s removed, but not if it’s moved to a different place where it cannot work such as the lighting. You might have already come up with a way to combat this, but I just wanted to include this just incase or maybe I tested this wrong or understood it incorrectly. I hope anything I’ve said helps, good luck.
The exploiter can also block the remote to prevent them from getting kicked
Never use the client for anti-cheat. Exploiters can disable being kicked from the client, and or delete your script.
As aforementioned earlier, the script is mandatory, it handles everything including remote events and has a looping check if it’s disabled every 10 seconds.
The thing is that the exploiters can
Which means detecting if anything suspicious is added to any Instance (on the Client) is impossible since exploiters can just bypass by doing one of the above mentioned things.
Some things to add to this, even though it’s not related to the original post
ChildRemoved may not be a reliable option, because the exploiter can still disable the script and change the contents within the script. A better idea would be to clone the local script into the player from a server script, then check if the local script’s disabled property changes, or if its parent is not equal to the player.
I still think that’s unnecessary. Your code should rely only on the client for input, not logic. I think it’s better to let them mess with stuff as they will anyway if you have the script. Instead, you should instead have sanity checks on the server. The client should never be able to mess with others or break the game by spoofing remotes.
Something to add to this, people can edit scripts on the client. They can change local functions and constants too.
You would have to be a very bad developer to allow the player to pass who to kick. Remote events’ OnServerEvent automatically passes player as the first parameter and this cannot be spoofed.
There was once a post where somebody in here game got hijacked and exploiters were easily able to kick all players due to a remotevent that was suppose to be for admins only.
Probably because it wasn’t secured. They either had a backdoor or didn’t check who fired it. Spoofing the player is not possible currently.
I am aware that clients should never be trusted however, as i mentioned, you can’t detect anything added by clients on server (ChildAdded), that’s why i used a localscript, until i find a solution that combats this.
Also i already have a server-side script that detects flying but it’s very inefficient and not very quick.
local isNearObjects = (FindPartBeingStoodOn(nearbyParts) ~= nil)
if not isNearObjects then
suspicious = true
FlightHeat = math.max(0, FlightHeat + ((p2.Y - p1.Y) / Config.FlightHeatCooldownRequiredFallSpeed + deltaTime) / Config.MaxFlyingDuration)
-- Figure out a maximum jump height
local jumpHeightTolerance
if Humanoid.UseJumpPower then
-- The '* 1.1' part is in case the humanoid has slight jumpieness from Roblox's weird physics.
jumpHeightTolerance = (Humanoid.JumpPower ^ 2) / (2 * workspace.Gravity) * 1.1
else
jumpHeightTolerance = Humanoid.JumpHeight * 1.1
end
if FlightHeat >= 1 or p2.Y > LastGroundedAltitude + jumpHeightTolerance then
Humanoid.JumpPower = 42
Punish("flying")
return
end
else
FlightHeat = 0
LastGroundedAltitude = p2.Y
end
Inherited from FJAnti-Exploit FJ's (Experimental) Character Anticheat
It probably isn’t worth your trouble in figuring out how to do this because an exploiter can bypass your checks. It would be more beneficial for you to work on a anti-cheat that prevents flying and speed changers.
Curious of me, after looking in some fly exploit scripts, i’ve noticed they use platformingstanding humanoidstate, should i use that to detect flying on server?
When they change this value, it is only visible on client and that can be spoofed easily too. You have to compare values by time to figure out if they are higher up than they should be or if they are moving faster than they should be.
Hello, I’m making multiple anti-cheats at the moment and some of them don’t detect cheats when the player is doing bad stuff on the client, but it does when it’s doing it on the server. What should I do? I’m not gonna provide my code here. just asking if I should use some kind of remote events or come up with something else?
{I know it’s a very late reply}
things like walkspeed and jumppower don’t replicate. You can do alternatives on the server, like checking their current distance with their distance half a second ago.