Ways to patch common exploits?

Help and Feedback Scripting Support
, , ,
20

To combat exploiting, all of your checks need to be on the server. Furthermore, they need to check only the position of the player, as almost everything else can be spoofed by the exploiter.

In theory, an exploiter can change everything about their client, including removing and replacing your exploit-checking code but reporting to the server that everything is OK. They can even report a Velocity of 0 while they’re moving, report a WalkSpeed of 16 while using 200, or report touching parts they aren’t touching. Fun fact: the server listens for the client to say it touched parts in some cases, so exploiters can spoof touched events! You need to do magnitude checks for those on the server.

The most reliable way to combat the listed exploits – which are all character movement exploits – is to check the HumanoidRootPart’s position on the server every frame.

Here are some checks you can do using the last frame position and current position:

  • Did they walk through a CanCollide = true part between the last frame and current frame? (use raycasts)
  • Did they move impossibly far between the last and current frame (e.g. 100 studs), such that they must have teleported?
  • Log when they’re on the ground using raycasts. Is their current position too high from their position when they were last on the ground? If so, they’re jumping higher than possible for their JumpPower.
  • You can calculate their velocity using (current pos - last pos)/frame time, then…
    • Are they hovering in the air without a negative Y velocity? Have they been doing it for a few seconds?
    • Are they walking faster than their walkspeed? Have they been doing it for a few seconds?

These checks cover…

  • Noclipping
  • Teleporting
  • JumpPower changing
  • Flying
  • WalkSpeed changing/Speed hacks

You will sometime get false-positives. This can be because the client has high ping or because the server isn’t checking often enough. You should only punish the player if they trip these checks often within a short time period. Your punishment should also not be severe: respawning or teleporting the player back to the last valid position is enough to deter exploiters and not harsh enough to deter real players in rare false-positives. Kicking or banning is too severe and not necessary. Exploiters won’t want to exploit anything if their exploits just don’t work.

108 Likes