RemoteEvent exploits and how to prevent a future specific exploit

So obviously I am making a game and just started to implement the “never trust the client” technique.

However, my game is about zombies and when the zombie touches the player it fires the event to the server. Of course I can add protection on the server like ask what team the zombie is and etc but then if the player is a zombie anyway how would I go around to check if the zombie actually did hit the player?

In addition, how would I go around making a damage event for my gun. Of course I can check for the bullets and etc. However, they can still damage a lot of players if the bullets and other protection measures are still there? How would I make sure it hit the player?

Help is well appreciated

If you want to detect if the bullet hits the player, thats a hard one to aswer…

Basicly when the player shoots I recommend doing the check on the server, BUT

here is one thing that exploiters / “Ping abusers” can do is they can shoot in front of the

enemy. If you do a client side check on the person who shot it however, On the client

you are shooting at they will be past the shooter(s) cross hair(s) (Depending on the

ping), and you will then have to fire a(n) remote event, and let the server listen to when

that even it will give the shot player damage. Another method is doing checks, on both

the Client, and the Server, then putting the bullet in between what the server sees, and

the client sees, (But hackers, exploiters can change it! If it is on the client’s memory, if

the memory path is not encrypted, the client can change what they send to the server,

including changing an(y) localscript(s).)

So, … Do the “Bullet Hit” checks on the server to be fair!

On checking wether or not the zombie hit the player, simply check: Is the zombie being

touched?, Does the parent of the object that touched the zombie have a Humanoid in

it? Is the parent a player model? Is the player not on the zombies team? Then give that

player some damage!

To check what team the zombie is on then, add a stringvalue in the zombie. Set the

stringvalue’s value to whatever team the zombie is on. Any changes made to the string

value by an exploiter / hacker will not replicate to the server or other client(s) due to

filtering enabled.

If you need more help, let me know , also: (I was in a hurry so I apologise for

any mistakes that I made while making this post)

Alright, I will try to do something about the bullet thing.
However, about the zombie touch thing. It checks if it is touched on the client and then fires the remote. How would I go around and check if the zombie hit the survivor on the server?

Ideally for damage from weaponry, all the players have to do is pass the mouse location they’re aiming at and the server takes care of the rest. Without server-authoritative characters, though, you have to trust the client to some degree if you want a responsive game experience.

For zombies, the client shouldn’t need to tell the server it was damaged. The server can handle the touch colliding authoritatively.

No. Do the checks on the server, the client could lie to the server and keep saying “Not hit”. Touched events should work on the server. I have em’ everyewhere in my game.

Take a look at this for a basic anti-cheat method:

https://developer.roblox.com/articles/Game-Security

It makes sense because the hacker / exploiter can change their currency all they want, but the server is blind… It wont detect that change. (Filtering enabled again…)

Don’t take what the client’s word for it then give them the product! Check the leaderstats on the server! Then go from there…

Do the following:

local Player = nil
local Zombie = script.Parent

Zombie.Touched:Connect(function(hit)
    if hit.Parent:IsA("Accessory") then
        Player = hit.Parent.Parent
        elseif hit:IsA("MeshPart") then
        Player = hit.Parent
        
    end
    if Player:FindFirstChild("Humanoid") then
        Player:FindFirstChild("Humanoid").Health = Player:FindFirstChild("Humanoid").Health - 25 -- This is the damage
end

Then you could add a " Debounce " so the player does not take lots of damage at once.

You can also put a boolvalue inside the player that will tell wether or not the player is a survivor.

If BoolValue.Value == true then
– They are a survivor
end

Yes I can do that, however the problem is my character runs an animation which , i know, works on server but it runs when the player clicks its mouse. The zombie can only damage when it clicked its mouse, the animation ran then it should damage.

Severscripts cannot detect when the player clicked its mouse.

Detect when the player clicks their mouse on the client. Here is a tool example:

local Tool = script.Parent

Tool.Activated:Connect(function()
– Tool is equiped and they clicked their mouse when it is already equiped so fire an event
– Put a debounce on the server so AutoClickers can’t spam click
end)

Take a look at this sword: https://www.roblox.com/library/2120322329/RB2018-Sword

When the player clicks with the tool equiped the player touching the tool takes damage.

Well yes I can do it on the client then fire the event and the server checks if the player clicked and then the zombie can damage. However, won’t there be a pause due to the network. It can ruin the gameplay with that 1 second of the pause…

You could check on the server for when ever another humanoid touches a survivor. If you want to keep doing it on the client, you could check the magnitude between both HumanoidRootParts to make sure they are close enough together. For the gun, store everything on the server. I would keep a string / int in a value somewhere. Make a module that contains the guns stats (damage, etc) and when the event is fired, check that players current weapon and get the stats from the module. For hitting a player, ray casting. Send the Mouse.Hit over to the server and fire a ray to that position from the player to that position.

Thank you so much, that solved the issue with the zombie event. I will definitely try to do what you told me with the gun, however won’t there be lag and the player will probably move by the time the event is passed on?

As long as you don’t add any waits, the event will fire instantly.

That’s not always true for RemoteEvents.

So then what should I do? Because by the time the remote is received the zombie would have probably already moved…

I mean you can just have the exploit just negate the damaging effects and not automatically kick the player. People with bad connections or if your game is lagging, they will probably be upset with the game though.

Another thing you can do is have the client fire the hit part to the server instead of the position (if they’re trying to hit a humanoid instead of the previous position since they’ll move.)