Amazing explanation! This is a good way to secure most of a map, but this could cause massive server lag if you prefer unions over messages, and sudden executions of any scripts (if disabled and re-enabled upon loading). That is something to look out for. I will add you to the post!
1 Like
smol edit (new noteable replies)
This is different than property changes because its physics which is entirely different than other replication.
But, thereâs a legitimate exception, which is descendants of a playerâs character. All descendants of a playerâs character can be deleted on the client, and this change will replicate to the server (the result is identical to setting instance.Parent = nil on the server).
This is how whatâs usually called âFE god modeâ works, exploiters will remove a playerâs Humanoid instance (immediately inserting a local copy on their client), which means thereâs no Humanoid to take damage. (Kinda funny, and it makes a lot of sense if you think about it)
What many people donât know is that this applies to everything in the character. Tools, descendants of those tools, joints, meshes, clothing instances, etc can all be deleted by an exploiter, and these changes will go to the server.
This is also exactly how exploiters create âFE partsâ, by deleting the mesh and joints of their own hats, which they can then control because they will have automatic network ownership.
This is unfortunately pretty difficult to solve if not impossible for us devs, but, things like FE god mode can be mitigated by simply replacing the Humanoid, which used to have some delay since you couldnât reparent an instance during an AncestryChanged event.
Luckily this can now be solved better with the task library so the instance can be reparented instantly:
-- In server code, when humanoid removed (e.g. AncestryChanged)
task.defer(function()
humanoid.Parent = character
end)
vs this which causes a warning:
-- In server code, when humanoid removed (e.g. AncestryChanged)
humanoid.Parent = character -- Something unexpectedly tried to set the parent of Humanoid to Hexcede while trying to set the parent of Humanoid. Current parent is NULL.
8 Likes
Thanks for the explanation! Iâll add you to the noteable replies.
1 Like
gonna have to do the le bump, i made a CRITICAL CHANGE regarding avatars
1 Like
â : TopBagon(Profile - TopBagon - DevForum | Roblox) mentioned that if you have things like an IntValue or a BoolValue in your character, hackers can remove it and server scripts could break, read his post here
I donât think thatâs true, they can only destroy their replicated values, server wonât be affected
Also, player characters are known to need a lot of checks before replicating and/or removing, so after all if you have :findfirstchild and nil checks you are alr (in a local script because server scripts wont be affected)
1 Like
Things in your character replicate to the server, thats how the scripts could break, if a hacker deletes a vital item and the server cant find it then it go BREK (thats what pcall is for kids)
1 Like
oh right I forgot that they could delete it on join lol
2 Likes
what about if i, from a server script, call instance.new(âvalueâ), set the parent to the character? in that case its replicated from server to client so thereâs no issue right?
1 Like
That would not work, because the client can delete anything in its character. No workarounds. Checks must be placed on the server before calling anything in the client.
1 Like
the client can delete anything in its character, but it will only be deleted for him
1 Like
Anything the hacker deletes in his character is replicated in the server. Stop please
1 Like
CRITICAL EDIT: info on local scripts and module scripts
1 Like
Exploiters can read and delete server scripts if it in playerâs character. You can test this in Studio - delete healing script, and you wonât heal anymore.
2 Likes
Ummmm if i have a terrain generation script client sided and a module which contains the property of the terrain, Am I doomed to be copy(I use perlin)
1 Like
Either way your doomed to be copied because hackers can steal anything in workspace, client-sided or not (just server scripts are excluded from this)
1 Like
Exploiters canât read server scripts in the character, but yeah they can delete it.
2 Likes
Did you try it with an actual exploit? Your command bar or your simple cursor canât prove it 100%
1 Like
No, iâm not use any exploits. But roblox studio can âsimulateâ exploits from the client, if you delete something or add new local script.
1 Like
But exploits can do more stuff than just localscripts. Like getrawmetatable, etc.
1 Like