You can see this player has 49334 score and 68.91% accuracy.
When the player finishes, their score will be sent to the server for leaderboards ranking purposes
But something went off.
My game had a score cap of 1000000 (one million) but this guy went into the leaderboards with a higher one
2091023? That’s impossible
It is 100% sure he fired the remote to send his own typed score on his exploit.
I’ve think of a method what if any scores above one million will not be accepted to the leaderboards. It will still fail, because people can send perfect 1000000 scores without anyone noticing if it’s their real score or exploit-sent score.
How do I prevent this from happening?
Extra descriptions:
The gameplay is client-sided, after the player finishes playing, their score will be sent to the server through a RemoteFunction
The server receives the score and put it in the leaderboard.
Server verification:
1st: not score>maxScore
2nd: if you can map your points awarded with time on level you could fire progressive updates and check how the player is doing with score/tick?
3rd: Ban player from board if they cheat.
The best you can do is detect if the score is greater than the max possible, than kick / ban them. The only other option is to have the server validate every move, which will take a lot of time. Sadly, without reworking your entire game, anyone can fire remotes. There really is no good way to work with your current system, you might just have to change it. Exploit protection is not possible with this system other than removing fake values.
As a side note, you can set a max number to the getSortedAsync function, which will allow you to remove all current cheaters without manually going through.
I have the same thoughts as yours before, sadly it is impossible to check the player’s score frequently because the score always update every 48/40fps (Heartbeat).
If I do this it will create a mass slowdown for the game.
You can add an extra step of protection against somebody firing your remote. If the player looks into your scripts then it wont matter but this may help against some hackers. Have the client send a code like &HC&(AH#G% and if the server gets the correct code then you can be more certain that it’s not a hack. (It can still be a hack if they access your scripts and figure out the code.)
Does your board have a finite size? you can do the check only if it would be on the highscores? limiting the work to only the few times people are doing really well.
or cache values for a time then sort them out in a thread together and update the highscores at given time periods
Exploits can be used to read the values being sent through a remote. While this may be a band-aid solution, it will not prevent many exploiters. In general, the problem here is the client determines their score. If the server played a role, it would be much more secure.
You can record all of the player’s input and input timing, cache all of it and waittill the game is over on the client, send data to the server and validate it then and return an official score to display.
A similar idea to @GuestCapone’s would be to cache hits and misses, instead of inputs and when they should be hitting. Instead of sending a score to the server, you would cache the hits and misses, send those to the server, and calculate the score there on the server.
might be just a rewording of Guests idea though, may have misunderstood what he was saying
You would want to record the input and timing of input so you would be able to tell if they missed completely, or got close enough for an “ok” or got it perfectly.
You do not cache on the client if they missed or hitted, if you did that, then that can be exploited by an exploiter, instead caching the input and timing of input makes it a lot harder to exploit because the exploiter will need to know the exact time to overwrite with the input.
Step progression:
Send it during play, so that 5 sec in they have x points and m is max possible
server check x<m
set 2 is 5sec - 10sec x points total, n is max total
x<n deltaX <= n-m
with ticks to check that ticks are inline with game +/- latency error
Just complicated enough to find someone jacking with the system and boot them from highscores. Need very thorough testing to make sure you don’t get false positives on your isHaxor check.
Make sure to keep an obvious Remote with Final score
But honestly a simple check on server to prevent highscore > maxscore is probably not going to bog down the system and you can prevent crazy scores, you might start getting a lot of maxes though.
I don’t think that’s what he meant at all. What I’m thinking Guest was saying would be to send the inputs and when they were done by the player.
Ex. A table of {{"Left" , timestamp}, {"Right", timestamp}, ... etc} and then recalculating the score on the server based on how these hits match up to the actual order and timing of the keys.
This really has no use as exploiters can see what’s been sent to the server with remotes and recieved with remotes. Aside from that are all local scripts strippable and readable by exploiters. The basic rule in roblox scripting is: Don’t trust the client
Unfortunately this is always an issue with this kind of games. RoBeats and BloxSaber have this problem too.
Though iirc, RoBeats does something similar to what @GuestCapone suggested. I believe they also check if the amount of “hits” (in your case falling arrows) that the player either got or missed matches, so it isn’t greater than the total amount the song has.
You can also do what BloxSaber does: reset the leaderboard every x hours or days. That way exploiters won’t stay on the top forever.
There’s no perfect way to prevent exploiters from sending modified scores to the server.
An exploiter could easily check whether a falling arrow overlaps one of the four main arrows every frame and automatically press the corresponding key if it does, allowing them to get a perfect score without actually sending fake scores, just improperly gained scores.
What I suggest you do, and what @Amiaa16 mentioned, is reset the leaderboard occasionally. This will allow you to identify any exploiter as you’ll see them with perfect scores every reset.
Alternatively, you could keep a record of all the people that have gotten perfect scores and all of their scores from every game they’ve played, and if they’ve got x perfects in a row, then they’re likely an exploiter.
This made me think of tracking a players play time, and manually reviewing it. That way you could check if the user had been playing what would typically be called the average amount needed to get a high score.
Though I believe constantly resetting leaderboards may be the most interesting solution, and could result in people either wanting to constantly come back to the game to regain their status, for instance, in Rust, where servers wipe their servers every week, enticing people to come back. It could also push people away from the game, as their scores aren’t permanent.
