What can exploiters do in the game and what can not?

Hi! I have encountered an exploit in my game many times, and i decided to make a system that at least can prevent the exploit.

I’ve seen an exploit in the likeness:

• Teleportation
• Noсlip
• An unknown object or similar to b-tools that can change the environment in the game
• Flying
• Copying games

But i would like to know if exploiters can:

• Change the value (BoolValue, NumberValue, etc)
• Get access to module and server scripts (not counting local)
• access to the _G variable
• Change the Material/Delete/Coloring parts
• Add something to the game that will be visible to everyone (Server script, Model, Part, etc)
• Change the local scripts of other players
• Access to RemoteEvents and RemoteFunctions and calling it

If the exploiters have access to the above, then how can this be avoided? Can i make a script that can locally check the values of the player and if he behaves suspiciously, the client script will call the server script and they will compare whether the values on the server-side and on the client-side are similar?

they can also crash the game u forgot about that too

Essentially, exploiters exploit their local player to do those aforementioned things, basically meaning all their actions are local. (for the most part)

Generally speaking they cannot access anything server-sided directly.

Exploiters can only exicute client side scripts. This is why developers put events such has hit detection, and player movement on the server

Roblox gives the player’s computer full control of their character, so physics exploits (noclip, teleport, fly) are possible. Exploiters, however, cannot see anything that only the server can see (stuff inside ServerScriptService and ServerStorage). Exploiters can only read the code of modulescripts and localscripts, can access _G and shared, can access RemoteEvents and RemoteFunctions, but can’t make changes replicate for everything.

Exploiters can make changes to anything, but they can’t always replicate those changes, so sometimes only they will see the changes they make (because of FE). For example, if player 1 changes the color of a brick with an exploit, player 2 will not see the color change unless player 1 has network ownership of the brick. By default, all players have network ownership of their character.

Network Ownership only applies to parts, meaning if exploiters change the value of something, nobody else will see it change unless there is a game-specific exploit, which can be countered by following the golden rule, “Don’t trust the client”. Don’t have a localscript fire a remote event that gives money, for example.

**EDIT 02/04/2024: ** The only properties that are controlled by network owners are the Position and Velocity, and also animations in some cases. Players cannot change the colour or other visual elements of their character outside of it’s position!, but it is important to note that you should do your own research and testing!. There are a lot of special cases that I’m not too sure about like Hats, which I’ve heard are commonly exploited to add custom models somehow. Again, don’t take my word for it! Do you’re own research to be sure!

Exploiter generally can only really affect themselves, not the server.

This is why on most websites passwords and other login information is handled at the server.

Seeing as the game is being replicated (or “sent”) to the client, and data is being sent from client to server (such as the players position), the server has to verify that the data and other infos being sent back are legitament.

To sum things up:
Anything that can be run/done on a LocalScript can be done by an exploiter.

Answering some of your questions:
1. Change the values of Value objects (BoolValue, NumberValue, etc)
Yes, they can. But this does not replicate to the server.

2. Get access to module and server scripts (not counting local)
Exploiters can indeed see ModuleScripts and LocalScripts with exploits such as Dex, but not Scripts.

3. Change the Material/Delete/Coloring parts
Yes, they can. However, it will only appear for them. For example with btools, it destroys parts locally so that the parts only disappear for the person using it, but is still there in the POV of other players. They will see you walk through walls but on your screen, you’re just walking in the place where the part was.

4. Add something to the game that will be visible to everyone (Server script, Model, Part, etc)
No. Exploiters cannot replicate to the server. The only thing that will replicate to the server is their Character. If the player flies on the client, it is visible to the server and everybody can see you fly. Developers use this to their advantage by keeping their anti-fly exploits on the server, where the exploiter can do nothing about it.

5. Change the local scripts of other players
Exploiters can view LocalScripts, thus being allowed to also copy them. But if they change another player’s LocalScript, then it will not affect that person.

6. Access to RemoteEvents and RemoteFunctions and calling it
Yes. They can use :FireServer() on any RemoteEvent (idk about remote functions) and pass on any argument within it. If the server isn’t properly checking whether these parameters actually exist and aren’t fake, then the exploiters will use this to their advantage to error those Server scripts, which will cause that script to stop working.

I think you need to do some research on the things exploiters are capable of. To do this, literally, just play a game in Studio then make changes and check it on the server to see if it replicates. For example:

I created a part and welded it to the character. Then, I moved the welded part on the client side, but it did not replicate to the server, even though the player has ownership of that part (using a WeldConstraint). Is it, therefore, safe to weld things to the character without worry, even if exploiters attempt to alter their location or orientation? Also, is it secure to initiate the hitbox at the player’s body part? For instance, if I place the hitbox at the CFrame of the right arm, it will not replicate to the server if they move that body part, correct? Even if clients initiate an animation extending their right arm, which would replicate, it is still safe since they can’t play animations that replicate to the server and do not belong to Roblox or the ownership of the game. While they can still replicate moving their HumanoidRootPart elsewhere, any other body part will not replicate, as my testing has shown. I just want to confirm that it is completely safe since, even if certain things are owned by the player, such as a welded part or their own body part, they still won’t be able to replicate those to the server. At least, that’s what I have observed from testing. I want to ensure that it’s 100% safe, if you know anything about that.