No. They cannot access the server, but they can take over remotes to cause that.
1 Like
But how did they play music I don’t think arsenal has a thing that lets people make music or create thousands of parts.
2 Likes
Alright. Then name all of the “blocks” something like “Block” then detect if anything other than Blocks is inserted into the Workspace
1 Like
I like the idea but they can just name their part Block
1 Like
Arsenal has a Music function as an emote. There is likely a remote for that
1 Like
What about creating loads of parts?
2 Likes
Okay, then also detect if any children are added to the CoreGui
1 Like
Workspace is able to be accessed by the client. Roblox has their own built in remotes that have to be present.
1 Like
Ah i see so they accessed those remotes?
1 Like
Yes. Without those roblox made remotes, no game will ever work. The remotes are what make every player see the workspace.
Like I said before, you can detect if any GUI is inserted into CoreGui, so that exploiters cannot open up their Hacking Panel if it is in the CoreGui
1 Like
I have a new idea, check the parts size and color and position
(I can check if it would be possible for each children to be where they are with my auto generate terrain function)
1 Like
That is also a very liable solution.
1 Like
Sound specifically is replicated from the client to the server by default. Turn on SoundService.RespectFilteringEnabled to disable replication of sounds.
EDIT: Also, there is no way for someone to do server-sided things unless you let them, either by creating remotes that they can call, or installing bad plugins/free models in your game. Again, without help from you, there is no way for exploiters to access your servers.
EDIT2: Except for character replication and sound replication. But that’s ROBLOX’s fault 
3 Likes
Thanks! I will mark yours as the solution because you have helped me lots, have a good day 
2 Likes
U can also check if the parts are anchored.
Your welcome! I am usually pretty good at this stuff, so if you need any help, just PM me!
Alright will do thanks (meow meow)
1 Like
Generally, the way this works is because of the server code that exists. I like to think of all of the code I use locally like it can be modified by exploiters, because this is basically what exploits do, they just modify or create new local code.
The reasons exploits like that exist is because of how the server code works. Remotes are something that is used in Roblox to have the client tell the server something, or vice versa.
Some exploits take advantage of that sort of thing within Roblox itself, because sometimes Roblox has some weird behaviours. For example, one of the lesser known but more common ones is that things inside of the Player’s Character can actually be deleted, and that deletion will replicate. Properties still won’t replicate though, just deletions. An example of how this is used is in an “Invincibility” exploit which deletes the Humanoid from the Character. Additionally, Tools with CanBeDropped as false can’t be dropped normally, but, Roblox still allows an exploiter to drop the tools (What happens if you make the tool CanBeDropped on the client? Should the tool still be droppable or not? It’s hard to decide how that should work).
If your remote does something, you have to think about how an exploiter could try and break it or use it. Some games might do something that looks like this in their code:
DeleteObject.OnServerInvoke = function(player, object)
object:Destroy()
end
This is bad, because, this allows an exploiter to delete any object, even if you didn’t intend for any object to be deleted. So basically, you need to check if the player is allowed to delete an object.
This is what is referred to as “sanity checking,” which basically just means “checking if the things that you have make sense.” It doesn’t make sense if a player can’t do something but they did it anyway.
Likely, when the exploiter you were referring to was making parts in Arsenal, they were probably using a remote like this. This is hypothetical, but, an example of what could have happened, was that the game maybe sends some sort of visual bullet information to the server. If an exploiter changes the stuff that gets sent, or sends their own stuff, and the server uses it, it would be bad. Instead, what should be done in that case is that the server decides the visual stuff rather than the client sending it.
4 Likes
WOW THANK YOU SO MUCH!!! I am glad you gave a detailed explanation it’s very nice of you
1 Like
No problem! 
I also made a post talking about specifically game security/Roblox anti cheats. It might be helpful to scan through. I’d also recommend looking at devhub articles on Remotes and other explanations too.
1 Like