Exploiters can Exploit Anything that is Replicated to the Client, For Example, workspaceReplicatedStorage, ReplicatedFirst, Lighting, StarterGui, StarterPlayerTeams, Anything the Client sees are can use is can basically be spoofed by exploiters.
Exploiters Cant Spoof Anything handled on the Server, So if you have anything on something like ServerScriptService or ServerStorage, only the Server can Access it, and not the Local Client which makes them Ideal for Hiding Important Scripts and Assets
Now although im not very familiar with the exact specifics of what the client has control of, there as to be atleast something that the client cant spoof. What about the player argument of a remote event to the server or the animationID of an animationtrack that was created and played on the client?
They cannot change the player argument of a remote event, but they can modify every other argument (or not even pass any at all). Also, they can fire any remote event at any time.
Unfortunately, exploiters can control their animations because of how animations are replicated and trying to run them all on the server would be inefficient and likely wouldn’t be worth the effort (and make the game more choppy). It might not even work.
The issue there is that there’s already default animation replication in place, and creating your own would likely require a ridiculous amount of updates. Playing animations on the server would work, but it would likely make things feel unresponsive and just take up server resources. It also probably just wouldn’t work since the default replication automatically updates whenever an animator object is inside a humanoid.
The big picture I get from reading about how anti-exploit scripts work, more so on the client, is that any variable can get spoofed, and any client sided anticheat will grab a spoofed value instead of the real value(if the script already deleted). Obviously, many people have put effort into making a server sided, anti-exploits that do its calculations based of values from the player. Which I remind you, are client based. If any value can get spoofed, what the point of an anti exploit?
the only limit I can think of that prevents the player from lying about anything related to them, is the fact that
exploits do not work while joining a server
This gives, a brief window of true and valid information that the server registers and any server sided, anti exploits can use this small time stamp to judge the next players actions
And thats it? That small window of time to judge everything that the client does. (until the next feasible action happens)
TL;DR: Whats stopping an exploiter from exploiting anything?
I wouldn’t rely on that delay on joining, as it’s likely exploits could be activated before Roblox is run, and therefore able to modify that as well. Overall, you should just always treat data from the client as if it’s falsified unless proven otherwise through your own checks.
The problem is if you want to check something, you have to check it with a “correct” value. Otherwise you are checking a value with something you dont even know is right, defeating the purpose of checking it. That leads back to the question, of what value cannot be spoofed, or rather, is there a value that hasn’t been spoofed yet