Is my HitBox Exploitable?


-I have a pvp game and i use Magnitude for my HitBox that runs on the Client.

-For the best HitBox Results i made it so When you start to attack the Client Sents a Remote Function to the server and from then the Server Returns The Information that the Client Needs to know to Run The HitBox from there.(The Information Consists of MaxSize, Magnitude OffSet and some more)

-Is there any way for someone to exploit the HitBox? Like change the MaxSize that the Server Sent.

-If it can be exploited how can i prevent that.

-Or how can i prevent Exploiters Generaly.

Any Suggestion whould be Greatly Appreciated!!!

Yeah that’s insecure and always will be. You can’t stop people 100%, but you can make it so that it’s not worth their time. On the server, you can check if someone was within 3 studs of the targeted player. Then it’s almost not worth the effort to hack it. And when someone does hack the hitbox to be gigantic, they’ll get kicked and give up on that approach. Nobody’s going to realize that they can get away with very subtle changes, and they won’t do it.


I would do some more checks on the server when doing damage. Currently, the client could change all of those received values and make the hitbox about infinite. Some basic checks on the server which check distance and validity of the hit should be fine.


If you want truly secure hitboxes, the only solution is to process them on the server. You can pass all the information you want from server to client, but the client doesn’t have to listen to it. An exploiter could easily just tell the server that they hit someone and without sanity checks, the server will believe it.


When you delete your hitbox (on the client) or move it somewhere off workspace like ReplicatedStorage, do you become immune to damage?