Part Spawning Exploit

EDIT: Modified the title to be more appropriate.

Recently, my place has been exploited frequently and I am not sure how it begins, but there is speculation around the moderation and development community of said group that people are removing the meshes from their hats and dropping them.

https://gyazo.com/8ecb1f59da4478407b93f9b62b7a98a0?token=80973833db19bf916b17e01804103c16

I’m not too sure how it works or if this is informative, but all I know is that someone is able to spam a load of parts. The place is FilteringEnabled and hat dropping keys are removed so I don’t exactly know how this happens. When this exploit happens, the server either lags or crashes.

I’ve tried fixing this exploit through various different fashions to no success, nor have I been able to see how to make it work. The closest thing in this game to hat dropping is reinstating the “=” key to remove a specific hat after its touched/worn, but it calls destroy on the hat so it can’t be parenting it to the workspace.

I would guess that, like with tools, the client is able to replicate changes to the parents of hats, possibly including the creation of new ones.

There are a few threads about this. The tl;dr is:

This will be patched in the next release, at least for FE places.

If you need a faster partial fix, you can remove parts from StarterGear as they get added or each time a player respawns.

Ah. Tried searching but didn’t find anything, so most likely I didn’t look deeply enough.

I’ll apply this fix when I can. Thanks.

A patch for this issue was just applied. Let me know if there are any StarterGear related issues.

This issue seems to have returned if it wasn’t fixed already, I just received a fresh report of this occurring.

I’ve been getting this too, in my case the parts were being parented to Workspace.Terrain

Does this crash games or make them unplayable?

If they do it for long enough it can cause some players on lower-end computers/mobile to have issues if they share a spawn point with the exploiter.

Found this at the RBXDev HQ today.

Do you know how long it takes to do this? For example, is this any worse than just dropping a hat and then respawning?

The effect is exponential though from what I was told, so if they start with 10, they then make 20 and then 40 and so on.

Happens extremely quickly.

I saw this yesterday while someone was testing a 100 player server. There must have been 1000s of these bricks everywhere. Causes a lot of lag.

I saw this happen on a game that I had developer console access to. The parts were somehow inside of Terrain on a FilteringEnabled game. I’m pretty sure I managed to fix it by removing anything that gets added as a child to Terrain.

workspace.Terrain.ChildAdded:connect(function(obj)
	wait()
	if obj then
		obj:Destroy()
	end
end)

Hope this works as a temporary solution.

This exploit is based on the old “drop hat” behavior. Look carefully at this post: Removing Accessory Dropping Key Shortcut

Notice that the hat is reparented in the local script.

It is also based on players respawning rapidly.

Yeah I had a feeling it was hat dropping. Parts that get spawned would only appear on the client, so there had to be something else going on.

This is what I was getting. I ran a really crude script that just printed whatever part I touched while I was in my game (It’s a terrain based game so I could omit printing if I was on my terrain) and I found that these parts were children of the terrain.

image931×759 266 KB

Any updates on this? Still getting reports of it in my game.

A partial patch for this specific issue will be released next week. Anyone relying on locally parenting hats should update this to be done on the server. The patch is partial as we do need to support “hat dropping” for the moment.