UGC size bypass allows accessories that are thousands of studs wide

Found another one: Cool Evil Sponge - Roblox

Players keep using these and it’s pretty annoying. Luckily though you can detect this at runtime by getting the Character’s size with GetExtentsSize() after their appearance loads. If it’s larger than ~50 studs in magnitude then you could try and find accessories that are too large and deleting them.

5 Likes

For some reason, the team marked this as “closed” / resolved even though they only deleted the one item instead of fixing the problem that’s allowing these items to be uploaded in the first place. Going to see if I can flag them internally…

8 Likes

The way these bypasses work is by positioning the Handle part very far away, so when validation checks the extents on both studio and the RCC Server, it breaks due to floating-point precision loss.

properties

The easiest fix would to just set Handle.CFrame to CFrame.identity during pre-validation.

It’s been 30 days but they still haven’t added that single line:

-- https://github.com/MaximumADHD/Roblox-Client-Tracker/blob/roblox/LuaPackages/Packages/_Index/UGCValidation/UGCValidation/util/fixUpPreValidation.lua
if thing:IsA("BasePart") then
	thing.Velocity = Vector3.zero
	thing.RotVelocity = Vector3.zero
+	thing.CFrame = CFrame.identity
end
10 Likes

Yeah, there are still a lot of bypassed items that already slipped through the cracks and continue to be put on sale. Roblox needs to properly fix this issue, and then automatically sweep through all the recently uploaded items and delete any which abused this glitch. We’re still seeing a bunch of these items disrupting our game, and they’re getting obnoxious to see.

5 Likes

This is is marked as fixed but I don’t see an official comment from Roblox. Does anyone know what’s happening with it? This is a bit of an issue for the game I’m working on at the moment.

2 Likes

If it still happening, we should probably make another ticket for it. The QA team might not be looking at this thread because it has been already marked as solved for some reason.

3 Likes

they got mad (two people DMed me) :sob:

quite surprising Roblox isn’t actually joining these servers as well

10 Likes

Our games have been plagued by these lately so much so that I’m disabling off-sale UGC hats from being put on through our hat system. This is to try and decrease how many abusive hats are being worn.

The only way we can auto-detect these large hats right now is disabled in live game servers, as it’s still under a beta test.

I have a whole script here that can detect these large UGC and auto-blacklist them from being worn, however, the API to create editable mesh parts from a MeshId is disabled outside Studio. This API lets us see vertex information and can build an overall “bounding box” from these to determine the overall size from its magnitude.

So, until that goes live we’re stuck manually blacklisting these hats while we wait on Roblox to remove existing large UGC and fix the issue. I will additionally share my script sometime soon anyway, in case the API goes fully live before Roblox fixes the issue.

3 Likes

It’s probably a group who are profiting off of selling these hats and don’t want this to get patched. Sorry that you have to deal with that.

3 Likes

Can’t you just GetExtentsSize of the character’s model to check if the size seems suspicious?

2 Likes

My friend Xoifail made a script recently that lets you remove UGC hats based on the hat name / description / creator / etc, by default it deletes any UGC containing the word “Biggest” in the name or if they exceed a certain size (5x5x5)

4 Likes

I have found another one of these size-bypassed UGCs. People usually pay them real money for them to put the item on sale. It’s kind of like an underground black market community sort of thing.

The items I’m talking about are Kenny L /ugcs - Roblox, c00lkidd awesome aura - Roblox

They usually leave their discord username or server link in the item’s name or description so people can find those rule breaking UGC creators to pay them real money in order for them to put those type of accessories on sale.

If Roblox deletes the item, they’ll just appeal the item hoping Roblox will accept the appeal (it works most of the time) and after that they continue with selling the bypassed UGCs for real money.
image

Here is how the size-limit bypassed accessories look in-game

The first one: Kenny L /ugcs - Roblox made by these people:
image x_x - Roblox


Second one: Kenny L /ugcs - Roblox made by these people:
image




They black-market UGCs and use group holders to abuse Roblox systems and avoid getting into trouble.

5 Likes

The flags and code are already there to stop the exploit, but aren’t enabled yet (on RCC, at least).

-- https://github.com/MaximumADHD/Roblox-Client-Tracker/blob/7d24950047ac96ccd3652b9a80e3cb44cc0a777b/LuaPackages/Packages/_Index/UGCValidation/UGCValidation/validation/validateMeshBounds.lua
if FFlagUGCValidationPositionCheck then
	if
		handle.Position.X > 10000
		or handle.Position.X < -10000
		or handle.Position.Y > 10000
		or handle.Position.Y < -10000
		or handle.Position.Z > 10000
		or handle.Position.Z < -10000
	then
		return false, { "Position is outside of bounds" }
	end
	if
		boundsCF.Position.X > 10000
		or boundsCF.Position.X < -10000
		or boundsCF.Position.Y > 10000
		or boundsCF.Position.Y < -10000
		or boundsCF.Position.Z > 10000
		or boundsCF.Position.Z < -10000
	then
		return false, { "Position is outside of bounds" }
	end
end

Engineers not knowing what math.abs is.

The lack of transparency here is awful. We wouldn’t have any idea if this was even being worked on if it weren’t for the Client Tracker.

5 Likes

I have found more game-breaking glitched accessories.
I could not find any other way to publicize this issue, so I decided to post it here and reply to my own message.

There is a package called “Freaky Dave”, and the package flings people, objects and anything that a Roblox Character can physically make contact with off the map. It is a game breaking issue that ruins the fun for other players, and the severity of this game-breaking accessory can even be considered “exploiting” and abusing Roblox Systems. It depends on the game that you’re playing. It’s the same situation as my last message.

The owners of the “Freaky Dave” package make the items on sale as long as people are paying him massive amounts of Roblox or real-life money (black-market).

Freaky Dave: freaky dave (blocky) - Roblox
Evidence:

(I do not own the package, this video was downloaded during my investigation when I found the rule breaker showcasing the package.)

The throwaway account the rule breaker used inside the video: ProbieHR - Roblox
image

His main account: Meno - Roblox


image

bro is cooked :skull:

to contribute to this thread, there is a guy called OHIOBOI999XD on dc and hes planning to upload laggers and flinging bundles. Please keep an eye out for him as this would cause harm to many games in ROBLOXIA :smiling_face_with_three_hearts:

I took a look at the bundle in Studio and noticed that both Hands and Foot are sized at “0.001” - The visible Hands/Feet are fake ones from the Lower Arm/Leg.

What causes the flinging however, is that for some reason, the Mass is a very large number:
image

Once you export the MeshPart and import it into Blender, it says the Dimensions are -inf m, and opening the file in Notepad shows 6 vertices with -nan(ind).
image

image

However, if you export it using a SpecialMesh, it doesn’t have this issue and only appears as a single line made of 6 vertices.

Not really sure what’s going on, but it might be a similar floating point issue. Since the MeshPart is already small, I don’t think the upcoming fix will work for this scenario.

1 Like

I see! Thank you for the information!

I’ve been getting sent death threats by the “large” community due to being a “spy” or leaking this game breaking issue.
To those UGC creators, the same people who are sending death threats to me and attempting to get my information leaked, those who are reading this, I will tell you this:
Attempt what you’re doing again (all of the things listed above, even black marketing and even CREATING those rule breaking accessories, your main accounts, throwaway accounts, group accounts, group holders, alt accounts will all be leaked and reported to ROBLOX for abuse of the Roblox systems (appealing knowing that what you’re doing is wrong) and many other bad things that I currently do not feel like listing right now. I am warning you. Thank you for reading!

1 Like

This is actually because Roblox’s .mesh format reads every 3 vertices as a triangle, which means even if the edges are clipping together, it still counts as a face. Scaling the mesh will increase the face’s area (and thus the calculated mass) without actually make the mesh bigger.

big.obj (319 Bytes)

The fake limbs are meant to trick the transparency validator.
This is some evil genius stuff.

Hey guys. Here’s some news for you:


Essentially, a check has been added that should hopefully prevent some, if not all of these massive UGC items from being uploaded from now.

I’m working with an engineer or two to resolve this vulnerability along with a few other ones involving crashing, massive avatars, etc. Hopefully these issues should all be resolved in the coming days and weeks.

3 Likes

This is the worst check code ever. I optimized it, if it helps:

if FFlagUGCValidationPositionCheck then
	local maxBounds = 10000
	local axes = {"X", "Y", "Z"}
	for _, v in ipairs(axes) do
		local a1 = handle.Position[v]
		local a2 = boundsCF.Position[v]
		if math.abs(a1) > maxBounds or math.abs(a2) > maxBounds then
			return false, { "Position is outside of bounds" }
		end
	end
end
5 Likes