Question about Touched events

coolifysz · March 26, 2024, 12:54am

I’ve heard that touched events are unreliable, and I just wanna clarify something.

Can Touched events be manipulated by the client in some way?

NinjaFurfante07 · March 26, 2024, 1:17am

They are considered unreliable because sometimes they won’t be triggered due to the touching part moving at very high speed, latency, etc.

coolifysz · March 26, 2024, 1:21am

Alright, but can the Touched event be exploited in some way though?

NinjaFurfante07 · March 26, 2024, 1:30am

You can consider them exploitable in the sense that exploiters can teleport themselves to parts thus firing the Touched event, so it’s enough to check distance between the player and the part on the server.

There’s a great video by Suphi explaining this in detail and how to solve it.

Watch from 12:30

coolifysz · March 26, 2024, 1:34am

My game relies on Touch events, since upon hit you get damaged. If hackers can force Touch events happen, can they also make them reject the touch event from even firing?

detourious · March 26, 2024, 1:38am

On the server, no.

.Touched fires on the server and client. From what I’ve seen, if two parts aren’t touching on the client, it will not fire on the client. Same on server and vice versa.

If you want to be sure that your events will fire, you should connect to the events on the server.

coolifysz · March 26, 2024, 1:51am

What events are you talking about?

Tomi1231 · March 26, 2024, 2:29am

You can read about how .Touched works here

Iemny · March 26, 2024, 10:06am

If you handle the .Touched events on the client that communicates with the server, you will most likely use a RemoteEvent. If the RemoteEvent is received on the server and it does something like damage a player that was given as an argument, a hacker/exploiter can call the event from the client and abuse the RemoteEvent.

Very rough and barebone example:

---LOCAL SCRIPT---
part.Touched:Connect(function(hit)
	local player = hit.Parent
	ReplicatedStorage.RemoteEventForDamagingPlayer:FireServer(player)
end

---SERVER SCRIPT---
ReplicatedStorage.RemoteEventForDamagingPlayer.OnServerEvent:Connect(function(player)
	player.Humanoid:TakeDamage(10)
end

All the hacker/exploiter has to do to abuse this command is to use the RemoteEvent with a player argument. This line will be sufficient;

ReplicatedStorage.RemoteEventForDamagingPlayer:FireServer(iDontLikeThisPlayer)

And it will damage the person with that username. To lock this behind bars and make it inaccessible for the hacker/exploiter, just run the .Touched events in a ServerScript. Any code in ServerScripts are hidden as soon as the experience loads, making them unable to find and/or abuse.

mhmdsndb3 · March 26, 2024, 10:20am

There is a function for exploits to fire touch events
I think they can also delete the part on their client to avoid it firing .touched event

Forummer · March 26, 2024, 11:03am

Don’t forget the first argument passed to a function connected to the ‘OnServerEvent’ event of a ‘RemoteEvent’ instance is the player instance of the client whom fired the ‘RemoteEvent’ instance.

coolifysz · March 26, 2024, 6:22pm

If I set the ownership to the server beforehand, will the client be able to do anything about it? I tested in my game and seems like I couldn’t do anything to stop the object from detecting touch or whatnot.