What can exploiters not spoof?

Hello Devs, I was reading on how Anti-Exploit scripts work and came across several posts telling me that the client can spoof almost any value. For example:

Now ovbiously there are some things that the client cant spoof. If not, there would be no such thing as a Anti-Exploit.

Can exploits spoof things like instance properties or calling of events? What can and can’t be spoofed?

Thanks in advance!

Exploiters can Exploit Anything that is Replicated to the Client, For Example, workspace ReplicatedStorage, ReplicatedFirst, Lighting, StarterGui, StarterPlayer Teams, Anything the Client sees are can use is can basically be spoofed by exploiters.

Exploiters Cant Spoof Anything handled on the Server, So if you have anything on something like ServerScriptService or ServerStorage, only the Server can Access it, and not the Local Client which makes them Ideal for Hiding Important Scripts and Assets

Now although im not very familiar with the exact specifics of what the client has control of, there as to be atleast something that the client cant spoof. What about the player argument of a remote event to the server or the animationID of an animationtrack that was created and played on the client?

RemoteEvents can be easily fired with a simple RemoteEvent:FireServer() and done.
AnimationTracks I’m not sure but I’m pretty sure they can add other Animations (potentially 18+)

They cannot change the player argument of a remote event, but they can modify every other argument (or not even pass any at all). Also, they can fire any remote event at any time.

Unfortunately, exploiters can control their animations because of how animations are replicated and trying to run them all on the server would be inefficient and likely wouldn’t be worth the effort (and make the game more choppy). It might not even work.

1 Like

I’m not sure but cant you use RemoteEvent:FireClient() as that can only be fired on a Server Script and sends data to the Client? or can exploiters mess with that to?

The issue there is that there’s already default animation replication in place, and creating your own would likely require a ridiculous amount of updates. Playing animations on the server would work, but it would likely make things feel unresponsive and just take up server resources. It also probably just wouldn’t work since the default replication automatically updates whenever an animator object is inside a humanoid.

1 Like

They can spoof everything they send from the client, except the player argument in remote events.

The big picture I get from reading about how anti-exploit scripts work, more so on the client, is that any variable can get spoofed, and any client sided anticheat will grab a spoofed value instead of the real value(if the script already deleted). Obviously, many people have put effort into making a server sided, anti-exploits that do its calculations based of values from the player. Which I remind you, are client based. If any value can get spoofed, what the point of an anti exploit?

the only limit I can think of that prevents the player from lying about anything related to them, is the fact that

  1. exploits do not work while joining a server

This gives, a brief window of true and valid information that the server registers and any server sided, anti exploits can use this small time stamp to judge the next players actions

And thats it? That small window of time to judge everything that the client does. (until the next feasible action happens)

TL;DR: Whats stopping an exploiter from exploiting anything?

I wouldn’t rely on that delay on joining, as it’s likely exploits could be activated before Roblox is run, and therefore able to modify that as well. Overall, you should just always treat data from the client as if it’s falsified unless proven otherwise through your own checks.

The problem is if you want to check something, you have to check it with a “correct” value. Otherwise you are checking a value with something you dont even know is right, defeating the purpose of checking it. That leads back to the question, of what value cannot be spoofed, or rather, is there a value that hasn’t been spoofed yet