RemoteEvent exploits and how to prevent a future specific exploit

So obviously I am making a game and just started to implement the “never trust the client” technique.

However, my game is about zombies and when the zombie touches the player it fires the event to the server. Of course I can add protection on the server like ask what team the zombie is and etc but then if the player is a zombie anyway how would I go around to check if the zombie actually did hit the player?

In addition, how would I go around making a damage event for my gun. Of course I can check for the bullets and etc. However, they can still damage a lot of players if the bullets and other protection measures are still there? How would I make sure it hit the player?

Help is well appreciated :slight_smile:

5 Likes

Alright, I will try to do something about the bullet thing.
However, about the zombie touch thing. It checks if it is touched on the client and then fires the remote. How would I go around and check if the zombie hit the survivor on the server?

1 Like

Ideally for damage from weaponry, all the players have to do is pass the mouse location they’re aiming at and the server takes care of the rest. Without server-authoritative characters, though, you have to trust the client to some degree if you want a responsive game experience.

For zombies, the client shouldn’t need to tell the server it was damaged. The server can handle the touch colliding authoritatively.

No. Do the checks on the server, the client could lie to the server and keep saying “Not hit”. Touched events should work on the server. I have em’ everyewhere in my game.

Take a look at this for a basic anti-cheat method:

It makes sense because the hacker / exploiter can change their currency all they want, but the server is blind… It wont detect that change. (Filtering enabled again…)

Don’t take what the client’s word for it then give them the product! Check the leaderstats on the server! Then go from there…

Do the following:

local Player = nil
local Zombie = script.Parent

Zombie.Touched:Connect(function(hit)
    if hit.Parent:IsA("Accessory") then
        Player = hit.Parent.Parent
        elseif hit:IsA("MeshPart") then
        Player = hit.Parent
        
    end
    if Player:FindFirstChild("Humanoid") then
        Player:FindFirstChild("Humanoid").Health = Player:FindFirstChild("Humanoid").Health - 25 -- This is the damage
end

Then you could add a " Debounce " so the player does not take lots of damage at once.

You can also put a boolvalue inside the player that will tell wether or not the player is a survivor.

If BoolValue.Value == true then
– They are a survivor
end

Yes I can do that, however the problem is my character runs an animation which , i know, works on server but it runs when the player clicks its mouse. The zombie can only damage when it clicked its mouse, the animation ran then it should damage.

Severscripts cannot detect when the player clicked its mouse.

1 Like

Detect when the player clicks their mouse on the client. Here is a tool example:

local Tool = script.Parent

Tool.Activated:Connect(function()
– Tool is equiped and they clicked their mouse when it is already equiped so fire an event
– Put a debounce on the server so AutoClickers can’t spam click
end)

Take a look at this sword: https://www.roblox.com/library/2120322329/RB2018-Sword

When the player clicks with the tool equiped the player touching the tool takes damage.

Well yes I can do it on the client then fire the event and the server checks if the player clicked and then the zombie can damage. However, won’t there be a pause due to the network. It can ruin the gameplay with that 1 second of the pause…

1 Like

You could check on the server for when ever another humanoid touches a survivor. If you want to keep doing it on the client, you could check the magnitude between both HumanoidRootParts to make sure they are close enough together. For the gun, store everything on the server. I would keep a string / int in a value somewhere. Make a module that contains the guns stats (damage, etc) and when the event is fired, check that players current weapon and get the stats from the module. For hitting a player, ray casting. Send the Mouse.Hit over to the server and fire a ray to that position from the player to that position.

1 Like

Thank you so much, that solved the issue with the zombie event. I will definitely try to do what you told me with the gun, however won’t there be lag and the player will probably move by the time the event is passed on?

As long as you don’t add any waits, the event will fire instantly.

That’s not always true for RemoteEvents.

So then what should I do? Because by the time the remote is received the zombie would have probably already moved…

I mean you can just have the exploit just negate the damaging effects and not automatically kick the player. People with bad connections or if your game is lagging, they will probably be upset with the game though.

Another thing you can do is have the client fire the hit part to the server instead of the position (if they’re trying to hit a humanoid instead of the previous position since they’ll move.)