I recently came across several hackers attacking my game’s code. Most of the code is old as I was still learning how to script but the game is now currently going under a revamp to fix such issues. However, I came across something interesting that I was not aware of, the client can destroy parts and it will change on the server as well. And so things such as a ‘Fake-Health’ Values cannot be manipulated yet they can be destroyed by the client and the Server will also delete such value, rendering the player immortal in the game. along with this, there have been several other vulnerabilities within my coding that allows for players to abuse the economic system due to my cooldowns being applied thru String Values (not Attributes), and seeing as the client can easily remove them there is nothing I can do as of now.
I was wondering how I may go around this? If the client can easily destroy objects from the client and being registered through the server as true, how can I ever add objects to the player’s character such as health values, or ‘KilledBy’ tagging system to detect who killed who. Along with server scripts also be deleted if the client wishes to. While the client cannot read or change these scripts they can destroy them if they are in their character, and so how may I circumvent this problem if exploiters can destroy these objects?
How May I store information within the player’s character if it can be destroyed?
The client can only manipulate things on their character since they have network ownership over their character. Because of that network ownership relationship any changes made on the client to their character will replicate to the server. However outside of their character, meaning if they try modifying anything in their game it won’t replicate to the server.
If you did want a client to be able to manipulate an object or set of objects you would need to set their Network Ownership to the client. To avoid any player from manipulating their character you can store those values outside of their player and character. By having values that only exist on the server it’s not possible for them to be modified outside of the server.
This means your new focus would be to make sure your remote events and functions are protected.
Okay, Thank you so much! I was wondering if a safer approach would be having these objects such as Health Values and objects stored in the Player (from PlayerService) or would that still cause the same problem?
I haven’t actually verified if the player can change things from there. It doesn’t hurt to check! The way I program on Roblox my systems are setup to be server-side. So the only functionality the player can edit there is the ones that would ruin their own gameplay.
You can try modifying something from the Player object using a LocalScript and see if anything changes on the server. If so then that would mean clients can edit things inside of their player objects too.
Okay, Thank you! I just checked on Roblox studio and nothing really changes for the server. Most of my remote events/functions work correctly and have safety measures but they tend to fail when what they are supposed to check to fail. I wasn’t aware that objects being removed could be replicated on the server and so I think storing it in the Player object may be a better fit. Thank you!