Pls Donate Game Donation Exploit

Hello, I’ve made a game like @haz3mn 's PLS DONATE, but I’ve noticed an issue (that apparently happened to him too?). People can set their gamepasses to 9999999 bazillion robux, join the game, claim a booth and then change the gamepass to 1 robux & buy it. Roblox will then be tricked into thinking they bought the 9999999 bazillion robux gamepass, and they’ll be put 1st on the leaderboard.

How could I fix this? The player’s stats only increase by the PriceInRobux that I get from doing GetProductInfo right after someone buys a donation, so it shouldn’t add 999M to it, but instead the actual price, right?

At least I think this is what’s causing it, could be other things but the only time I increment the Donated/ Raised values are right after the player buys something.

7 Likes

Assuming that:

  • You’re truly adding the result from that PriceInRobux property returned from MarketplaceService:GetProductInfo() to the amount donated on the server, not the client.

  • That there’s sufficient logic to prevent any invalid additions to the amount donated (etc, you could perform a check that determines if the passed in number is > the gamepass amount, otherwise reject the transaction).

  • Another value isn’t being added to it, instead of the one you think that’s being added.

The only other sufficient explanation I can think of is (although unlikely) is that there’s a delay in the updating of data on the API endpoint that MarketplaceService:GetProductInfo() sends a request to. Other than that, I have no ideas.

Hope some of these suggestions get you closer to solving the problem! :slight_smile:

2 Likes

Yes, here’s what I do
image
or for gamepasses:

and then:

This is all done on the server & the Donated attribute gets saved nomally like a leaderstat value, I used an attribute instead just so I can add anonymous mode

(yes, I do use Enum.InfoType.Gamepass instead of .Asset for gamepasses!)

2 Likes

Maybe because the game thought its 999bazillion robux, then compare it with the real price of the gamepass, something like if whatgameseesgamepasspriceis == gamepasspriceactuallyis then

1 Like

you can reload the buttons in while loop

1 Like

maybe try using tonumber(string) assuming your gamepasses on booth is textlabel which has the priceinrobux and once they changed the price of the gamepass maybe try change the text aswell? idk if you can see if they changed the price gamepass.

1 Like

Don’t have gamepass prices in an attribute. Theoretically, unless the player has network ownership of the part, they should not be able to change those values, but I have seen strange things happen before.

Store them in a table instead and then populate the text field with that value from the table. Also, when sending the purchase request to Roblox, the actual purchase amount also matches values that table. If they don’t, then you got a problem. Do not write the code to add/change things in the table. If the code doesn’t exist, it cannot be exploited. Make sure to secure and sanity check your remotes.

That’s all that I can offer at this point.

1 Like

Did you find a fix for this exploit yet?

2 Likes

as the Matthew said just make it get the price of gamepass on time that it got bought
like MarketplaceService:GetProductInfo(AssetId).Price

1 Like

Sorry for reviving this thread, however, I feel like a lot of people revisit this thread looking for a solution and GetProductInfo will not work.

GetProductInfo returns invalid / cached data, so relying on that at any point is unstable and can cause the bug to occur.

The way I fixed this was using the following endpoints as alternatives to GetProductInfo()

T-Shirts:
https://economy.roblox.com/v2/assets/TSHIRTID/details

Gamepasses:
https://apis.roblox.com/game-passes/v1/game-passes/GAMEPASSID/product-info

This worked at scale in the following games, with thousands of players playing at a time:

4 Likes

Here’s the thing, If GetProductInfo() doesn’t work correct, you really should submit a bug report so Roblox engineers are aware of it and they can get the problem fixed. Roblox uses a lot of caching to speed up lookups and such for performance reasons. If the cache is getting corrupted, that would explain a lot.

This has been a persistent issue for years; the engineers are well aware of this and there are countless posts on it already, I’m just providing a temporary solution for games who suffer from this exploit.

turns out its a recent roblox vulnerability that just got leaked