Roblox Backpack/Tools System vulnerabilities & bugs

unsure, but since repro steps are provided, this might need to go private or sent to the right people

Roblox’s tool/backpack system has some widely accepted faults that’s fallen short of perfect or usable in a large-scale game. Toolbox’s have known vulnerabilities that are bad practice and should be updated to accommodate its widespread usage. Some developers keep this toolbox system for simplicity, but vulnerabilities make it hard to like as it seems to give the client a lot of power.

Vulnerability [1]:
-It’s been known that even though .CanBeDropped is false, tools can drop anyway from exploiters simply parenting the tool to Workspace.
(It seems to be a weak client-sided check, meaning it’s useless)

Vulnerability [2]:
-Toolbox system doesn’t prevent more than one tool being equipped at once, multiple tools can be parented to Character to be in the Equipped state. This is also shown in the case that both tools are highlighted in the players’ backpack.

Glitch [3]:
-Using “The fastest autoclicker” or any super fast autoclicker to rapidly equip/unequip tools, you become in a “noclip” state in which you can walk through walls. During this state, you can noclip for as long as you keep equipping/uneqipping, and your avatar appears to have no animations.
(With this being said, a small cooldown for Equip/Unequipping tools can easily fix the problem, or you can try to find the reason for the noclip/no collision)

3 Likes

Vulnerability 1 was patched awhile ago, you can no longer parent tools with CanBeDropped false to the character.

See: RightGrip Mass Replication Exploit Crashing Servers - #72 by Osyris

However I do agree that the 2nd vulnerability, as well as, the glitch should be fixed.
In fact, I believe a remake on both the built-in Roblox backpack GUI and its mechanics should be remade to better help developers on the platform.

1 Like

Please file one bug report per topic and follow the full bug report format for each bug.

If an exploit has repro steps, use @Exploit_Reports