Hello, as the title says theres an exploit to crash the server of my game and is really really weird
I want to fix this issue a soon as posible, and if its an error that i did, see if the error repeats on other scripts and fix them
Well he told me that the bug happens when you do a specific ability, at a specific corner of the map, with a specific tool, i asked how did he even finded out and he said he works by doing these types of bugs (game breaking ones) and he trained himself to do it (i am as confused as you) anyways at first i did not believe him so i said alr im going to join you to see if it happens and it did happen it lagged and half of the server left the game when it ended (lasted about 15 seconds) , i was shocked because it just didnt make sense, and he was asking for money to show me how he did it, i had to pay him so he showed me the bug so i can try to fix it.
So i went into my code and looked it, i do sanity checks on my game and you can only do that ability 1 time per round and the variable that counts that is server sided with other sanity checks, the ability that he does is a spike that falls from the sky and when it touches the ground it creates a hitbox using touch event that when you touch it it stuns the player and makes the player have a knockback and face effects so other players can see that theyre stunned.
Well i said theres no way that this is happening, because it makes no sense so i said alr i think he is abussing remotes in some way because ive seen that before, i made a script so i can see the remotes that he sent, the size and when he is in roblox and when he is not and i found out this:
He did send the remote one time and with the correct size ( the size is not the ammount of arguments just a json encode of a table), i was even more confused and the theory of it of being a ddos was even bigger because he was alt tabbing a lot also he sent me the video and when he did it when he was in the spot to do it he pulled on the ability and did it but he waited like 2 seconds and in those 2 seconds he received a message and i have two theories if it is a ddos attack or he has a discord bot that does it or it was just coincidence and he used a program to do it or so, heres the video:
i had to cut it because it was too big but at the end he disconnected, it is so weird and it doesnt make sense, i use a raycast for the ability and for the hitbox a touch event that is the only thing ithink he can exploit is that, so im really confused, i asked him and he doesnt even understand why that works but he discovered it? idk, so weird, i told him that i tought it was some short of ddos and he was lying and he denied it. I joined a last time with him and i told him that i wanted him to show me the bug because i couldnt replicate it and i tried a lot of times, i did that and basically the same that i was doing but at the 3rd attemp it worked but heres the console logs
he changed to another app instead of roblox when i equiped the ability and like the video it crashed, i was even more confused.
Well it is a lot of text but i think it is necesary to give every detail and also because im going insane. Any help it is appreciated. Ty for reading.
Honestly if you can’t replicate it without him knowing you are trying to replicate it, then it does point to him attacking the server through another channel and faking the bug. I don’t have evidence of this of course, but your guess may be possible. Another guess is that plugins often will add code to your scripts in ways that it tries to hide (often way tabbed out) and this has happened to me from plugins that are trusted because they often are self spreading. So check for anything weird in your server side scripts too like a horizontal scroll bar past your natural code length. Note that you don’t have to use the plugin for this to spread, just have it active once when you are in the place.
most likely another source of attack indeed, have you got functional debounces on every remote?
also whats the code for the ability so we can rule that out. we would still need to rule out where the source of the attack is, whether it is only from thier client or if its the server.
that sound is from an injector script running a script so its highly likely to be another route, also note the send spiking significantly moments before the lag, its likely a remote event exploit
it might even be something you have that uses a bit of maths with not quite short enough cooldown, or even too many events and they are firing them all to get around just firing one. attacking a remote isnt always as straightfoward as just picking one remote and firing that, they can do things like firing all of them.
Yes thats why i think or it is a ddos attack or hes hidding the real exploit, however you can be right it can be a plugin that inserts a backdoor but i dont think so because he would have exploited in any other way, ex. banning players giving himself crazy stats to appear on the leaderboard and not asking for money for a bug that crashes the server he is in, but ill check that out
This is the code of the ability that is causing the problem
module.IceSpikeThrow = function(Position)
local tweenService = game:GetService('TweenService')
local module = require(game.ReplicatedStorage.Modules.EffectModule)
local module2 = require(game.ReplicatedStorage.Modules.EffectOnFaceScript)
local clone = game.ReplicatedStorage.Abilities.Pioneer.AbilityC.IceSpike:Clone()
if clone.Ice and Position then
clone.Parent = workspace
clone:MoveTo(Position+ Vector3.new(0,25,0))
clone.Part.Touched:Connect(function(part)
if part.Parent:FindFirstChild("Humanoid") ~= nil then
delay(0.25,function()
module.KnockBack(part.Parent, clone.Ice,35)
end)
module.StunPlayer(game.Players:GetPlayerFromCharacter(part.Parent),1,1)
module.EffectShowGuiSmall(part.Parent,"Stunned",Color3.fromRGB(255, 130, 132),2.5,game.Players:GetPlayerFromCharacter(part.Parent).PlayerGui)
module2.AddEffect(game.Players:GetPlayerFromCharacter(part.Parent),"Stunned",2.5)
end
end)
local RayC = workspace:Raycast(Position,Vector3.new(0,-1000,0))
if RayC and RayC.Position then
if not clone:FindFirstChild("Final") then return end
clone:FindFirstChild("Final").Position = RayC.Position
delay(0.1,function()
for i, Par in pairs(clone.Ice.Activate:GetChildren()) do
if Par.Name == "DelayPar" then
delay(0.25,function()
Par.Enabled = true
delay(0.5,function()
Par.Enabled = false
end)
end)
else
Par.Enabled = true
delay(0.5,function()
Par.Enabled = false
end)
end
end
end)
delay(0.5,function()
local tween = tweenService:Create(clone.Ice,TweenInfo.new(0.65, Enum.EasingStyle.Quad),{Position = RayC.Position-Vector3.new(0,17,0)})
tween:Play()
delay(1,function()
if not clone:FindFirstChild("Ice") then return end
clone.Ice.Transparency = 1
end)
delay(2.4,function()
clone:Destroy()
end)
end)
else
clone:Destroy()
end
end
end
the code can be really improved but the only thing that is see that could be exploited is the touch part but i dont think is bad enough to crash the server and kick half of the players
yea so this could lag if they triggered it a bunch, characters do replicate so itl trigger the server. The main suspect would still be the remote though, right now it looks as though its not got anything in the way of debounces or sanity checks.
another thing could be a autoclicker rapidly triggering the abilities before a debounce is set, really depends, still really limited as to how much i can see from this, like the initial remote on server invoke would be nice to see as well, as well as the lines where this function is called. its likely going to be a easy fix if the rest of the code is similar to this. also id look at adding a debounce within the function for the touch event. do both and it should stop it from occuring most of the time, the odd eploiter might find a way but just as we patch things exploiters and bug abusers find ways around, just patch them as they come up and learn from what they do.
easiest way for debounces
local RemoteData = {}
RemoteYadaYada.OnServerInvoke(function(...)
local Player,Data = table.unpack(...)
if not RemoteData[Player] then
RemoteData[Player] = {}
end
--Data Will be a dictionary of info
-- eg "Event" - what wants to happen
-- This enables you to also pass things eg a player target, target position
if Data["Event"] and RemoteData[Player][Data["Event"] ]["Debounce"] ~= true then
-- Immediatly disable the event before even running checks
RemoteData[Player][Data["Event"] ]["Debounce"] = true
if Data["Event"] == "ThrowIceSpike" then
--Function to throw it
RemoteData[Player][Data["Event"] ]["Debounce"] = false
return true
end
if Data["Event"] == "ThrowFireBall" then
--Function to throw it
RemoteData[Player][Data["Event"] ]["Debounce"] = false
return true
end
end
end)
The easiest way to secure it is allow sending primitives (string,booleans etc) or buffers, they are easy and cheap to read since you can get their size instantly, tables are very bad in this case.
for i,v in game:GetDescendants() do
if not v:IsA("LuaSourceContainer") then continue end
local s = v.Source
if string.find(s,"\t\t\t\t\t\t") or string.find(s," ") then
print("101% not a virus",v)
end
end
Running this in console may help but plugin could’ve used something like Plugin.Unloading to hide virus so its best to look at source code of each plugin you own.
the debounce is set before the ability , well theres no debounce just a variable that says how much times can he do the abiliti that is 1 and only set again to 1 when changing rounds, also the image shows that he is only triggering the ability 1 time, and leaving and opening roblox all the time
