Raycast Anti-Exploit Question/Feedback

Hi there, I’ve been researching methods on anti-exploit with Raycast weapons and have decided to begin making my own raycaster weapons anti-exploit. Currently, I am creating a Raycast on the client and the server so that I can compare the distance of the rays to check for any discrepancies. If the distances are the same or almost the same (within 6 studs for ping delay) it will pass the check and damage the player, if not it will not damage the player. Is this worth doing? and have I done this correctly?

Remote.OnServerEvent:Connect(function(Player, Part, Position, Distance, Vector, muzzlePos, mousePos, Weapon, Head, Damage, Spread, Speed, BulletType)
	local Ignore = {Player.Character}
	table.insert(Ignore, Player.Character)
	local accurateRayA = Ray.new(Head, (mousePos - Head).unit * 4000)
	local rayA = Ray.new(accurateRayA.Origin, CFrame.Angles(math.rad(math.random(-Spread, Spread) / 100), math.rad(math.random(-Spread, Spread) / 100), math.rad(math.random(-Spread, Spread) / 100)) * accurateRayA.Direction)
	local PartA, PositionA, VectorA = game.Workspace:FindPartOnRayWithIgnoreList(rayA, Ignore)
	local DistanceA = (Weapon.MuzzlePoint.CFrame.p - Position).magnitude
	print((Vector3.new(Distance) - Vector3.new(DistanceA)).Magnitude)
	if Part and (Vector3.new(Distance) - Vector3.new(DistanceA)).Magnitude < 6 then
		if Part.Parent:FindFirstChild("Humanoid") then
			if Part.Name == "Head" then

Remember: Anything on the client can be very easily bypassed. Checks on the server is the best anyone can do right now.

In my opinion, creating an anti-exploit is not worth it. About the script, I’m not sure if you have done this correctly.

If anti-exploit means reducing the amount of exploiters on my game them I see this as a complete win.

1 Like

But if it can be easily bypassed then what’s the point of doing this all?

Just make it harder to be bypassed. Anti-Exploit isn’t ever going to be 100% effective, if it was a hopeless cause like you say it is then no one on Roblox would be doing it. And if serverside checks are the best anyone can do right now then I guess I am doing the best I can.


Be very very careful of receiving values from the client, as exploiters can easily spoof or change them.

So anything that the server already knows about, should never be (re)sent from the client(s) back to the server.

I see in your function’s list of arguments, that it gladly accept (and never verifies) whatever Damage, Spread, Speed, BulletType etc. values the client specifies for the RemoveEvent.

Wouldn’t the server code already know of these values? - Or is your game’s weapon-system so dynamic and open, that clients can “code their own values” and completely ignore what the server may have told them?

Also exploiters may quickly figure out, that the value for Part, does not even have to be close to the Position, Distance, mousePos, Head etc.

As others write; “never trust the client”. - If the server already knows of, or is owner of, “some value”, then there is absolutely no need to have a (compromised) client tell the server this “value”.

I haven’t had time yet to make a module script for the server to have all of the weapons values and fire rates. Though if I were too do this couldn’t players just change the name of the item in the script, and turn a normal pistol into a rifle?

Yes. Yes he could.

So you, as the developer, also has to “think like an exploiter” and find the weak-spots in your own code, so you can identify any potential problems, and fix them to the best of your abilities, before the game is published. - And then thereafter also fix the bugs and unseen exploits that will appear, once other people gains access to play your game.

So there are many more verifications and sanity checks that could / should / must be added, for those functions that receive data from clients.

A simple verification would be, that the server checks that the player actually “owns / has” the weapon in inventory, that is being fired.

What would be good sanity checks to carry out in my server script? All I can think of is comparing the two hit parts from both of the rays and checking the distance the ray goes.

As I do not know your entire code, nor how your weapon-system works, the following is just “generic recommendation”:

When client “fires weapon”, the only values sent to server would be; direction-of-shot.

Server already know; position-of-player’s-character, selected-weapon, amount-of-ammo, cooldown-time/firing-rate, damage-value, bullet-type-and-spread, max-weapon-range etc.

By receiving only ‘direction-of-shot’ from the client, the server can calculate all the other stuff, and you have reduced any potential exploitation-attack-vectors to just that one value.

Unfortunately that does not take into account any latency-prediction-adjustments, so to get “pinpoint accuracy” - which I have never attempted myself - you would need to search/find and study any documentation / whitepapers on how other games (not necessarily Roblox games) have managed to implement in code such predictions, while (supposedly) also avoiding exploitation (e.g. aim-bots, xray-vision etc.)

I am experiencing the same issue with RayCasting as Exploiters are able to use a hitbox expander on melee weapons and I think this must be due to RayCasting so I would like to see if I can patch the RayCasting exploit for melee weapons like Knifes, Swords, Axes, etc… because they are able to damage a player from a distance. It would be helpful if I could prevent this. Thanks!

If you cast the Raycast in server Hitbox expander will not work hitbox only works in client also checking distance can help but this will make it harder to hit players

I’m not really sure but i used raycast in my melee and i tested it