ServerSided Flying Anti-Exploit

I saw a suggestion a while ago about checking for flying by using Humanoid.FloorMaterial and checking if it’s set to air for more than 5 seconds. I wrote something really quick to just test it out and see if it would work or not in my game and so far it seems to be working when I test it. Considering that it could pick up someone that is flung out of the map or something I just made the punishment having your character be respawned.

Are there any flaws or setbacks with my code, or maybe something that I missed that could produce false results?

local function StartFlyingCheck(Player)
	local HeartbeatConnection = game:GetService("RunService").Heartbeat:Connect(function()
		if Player.Character then			
			if Player.Character.Humanoid.FloorMaterial == Enum.Material.Air then				
				if AntiExploit.SuspectTable[Player.UserId] then					
					if not (AntiExploit.SuspectTable[Player.UserId] + 5 > os.time()) then						
						print("flying")						
					else						
						print("not flying")					
					end					
				else					
					AntiExploit.SuspectTable[Player.UserId] = os.time()					
				end				
			else				
				AntiExploit.SuspectTable[Player.UserId] = nil
			end
		end
	end)
end

you should try and minimize the if statements if you can.

If this is specific to your game only – it would work. You aren’t taking in to account that someone may be flinged on accident and your script would catch that as flying.

Kind of confused about how he should minimize his conditional statements. It’s already pretty straight forward.

he should simplify them because some logic is repetitive

Thanks for the feedback. It is indeed specific to my game only. I can’t think of an instance where people would be in the air for more than 5 seconds besides being flung. I was considering actually changing it to something like 10 just in case they were falling off a building for some strange reason although it’s only about 20 studs high.

This looks like it’ll cause a leak with the connection. You connect HeartbeatConnection but never actually disconnect it when the player leaves.

I’m not sure if GetPropertyChangedSignal works on FloorMaterial, but if it does, you could try using that instead to reduce overhead too.

Couldn’t it also be more efficient to just connect Heartbeat once when the player joins the game and leave it at that?

Thanks. I defined HeartbeatConnection for the purpose of disconnecting it when they leave. I haven’t added it in yet though. I’ll test out GetPropertyChangedSignal. Didn’t originally think about that.

If you just connect it and leave it it’ll keep running after the player leaves. It also runs about once every frame (or 1/60 of a second on the server) so that’s wasted computation for every player that joins on the server ever.

So, here’s the thing. Depending on your game it should work, but there’s also a glitch which allows the player, without exploits to freeze the client. I can give more info if you would like

I think this will make false-positives by failing from very height positions, or when a play lags mid fall/jump.

Also I think you should do HeartBeat once and then check for every player inside that function, instead of doing HeartBeat once for every player.

Thanks. I’m planning on increasing the detection time to somewhere around 15 seconds. Unless their router is a literal potato I can’t imagine that they’d be lagging mid-fall or mid-jump for that long. I’ll definitely update it to check for every player.

Mine is a literal potato I can reach over 100k ping sometimes

I’m pretty sure that the Server can in-fact see if bodyvelocity is added into a character’s parts from the client.

The behavior replicates, because it’s physics done on an owned object. But the instance itself does not show up on the server.

Ah, I see. Thanks for clearing that up lol.

I also recommend checking if Humanoid:GetState() == Enum.HumanoidStateType.PlatformStanding as most fly exploits use this. Of course, either add a whitelist method or just don’t use this at all if part of your game natively uses PlatformStanding (it’s deprecated though, so I don’t recommend it).