9/30/23: People are using this as their entire basis of their anticheats. No. Roblox anticheats and cheaters have evolved so much since 2022.
Old Post (why)
5/26/22: Note, due to developments in the past few months and ROBLOX taking more action against exploiters, the post may be out of date. Revision 3 of the thread coming soon!
In this resource, I will talk about what hackers can/cant do, since this topic is not discussed (at all).
First, we need to talk about Clientside vs. Serverside.
Serverside
Serverside means something that only the server can see, or something that everybody can see. For example, Workspace is handled on the server, so everybody can see Workspace but no single user can change it* without changing it through the server. This also applies to ServerScriptService but in a different way, i.e. no one user can see besides the server itself.
Clientside
Clientside means something that only the user (the client) can see. For example, if the user inserts a part into Workspace without doing it through the server, nobody else can see that part. Local scripts operate under Clientside.
Now we can get into the juicy part!
Hackers can operate anything via clientside† such as inserting parts, inserting a GUI into StarterGUI or CoreGUI (such as Dex or InfiniteYield), which nobody else will be able to see. This is why local anticheats are required as the server cannot detect if somebody inserted a hack GUI into their Starter/CoreGUI.
Note: Hackers can view and edit local scripts in a client service (such as StarterPlayer)
Hackers cannot do anything Serverside (with a few exceptions and footnotes) such as running serverside scripts, looking inside a Server service (except client and server services, such as Workspace* or ReplicatedStorage) or viewing server scripts.
Note: Hackers can look into ANY LOCALSCRIPT OR ANY MODULE SCRIPTS. Your local and module scripts are NOT SAFE unless they are in a server service, so your module scripts are DOOMED either way. D O O M E D.
Now, some exceptions. For the exception for serverside, hackers can run Serverside scripts if they have a backdoor. Also, hackers can do a few thing to their avatar‡ / §, such as custom animations, moving limbs in unnatural ways, and moving their character (flying, noclip, also includes changing states).
§: Hackers can (sometimes) remove their clothing under specific circumstances, but this rarely comes up. They can remove their shirts if first their torso/arms/legs are removed while keeping the humanoid… alive, then re-inserting them using some cheeky method I don’t understand or get. I’ve seen it happen, so I know its true, but if anybody can elaborate then please tell me.
‡: Mentioned by exxtremestuffs, this is a side effect of Network Ownership, which is explained below, read exx’s post here
†: TopBagon mentioned that if you have things like an IntValue or a BoolValue in your character, hackers can remove it and server scripts could break, read his post here
*: ihavoc101 mentioned this, exploiters can move unanchored objects without backdoors using network ownership, view his post here
Noteable replies:
What hackers can/cant do - #20 by BakDoor
What hackers can/cant do - #23 by Hexcede
What hackers can/cant do - #34 by GamEditoPro
If I missed anything, please let me know (I will add it above) and thank you for reading!
Some resources for you to check out:
Why Your Anti-Exploit Sucks
How to make a strong anti cheat?
Exploiting Explained (mostly terminology I wont explain here or we will be here for hours)
How you should secure your game - A beginner guide for secure networking and developing anticheats
Concept: Client Anti-cheat possible?