None of what I mentioned in my reply was in regards to Clash Royale. All of what I wrote is possible in Roblox. Your proposed model of the server sending information to the client, which the client then sends back as a form of validation, is incredibly naive and very easy to bypass.
You really shouldn’t be giving security advice when you have no idea what you are talking about.
Just because it’s possible doesn’t mean it is optimized whatsoever.
oh here we go with the obsessions again. Do you want to worship exploiters? That’s honestly what it sounds like. I am sure they will be happy to have you at their feet.
I think not. I leave things in the hands of experts… and I follow the same concepts that the top games on Roblox follow. Which is to STOP CARING ABOUT EXPLOITS and focus on performance. Using the bare minimum for an “anti cheat” is perfectly acceptable.
STOP CARING ABOUT EXPLOITS
This is (to some extent) good advice.
However this is not what you said in the comment I replied to.
In the comment I replied to, you specifically suggested that people implement a system where the server sends a value to the client, which then sends it back.
The best you can do in terms of security is to design your game properly, so there are no easily exploitable features.
Ok. That is totally fair. Someday you will fully understand. At least you believe in designing the game properly which I think is good. I personally don’t care about easily exploitable features. Neither do many of the top games on Roblox. The reason being because Roblox has an entire team dedicated to improving the platform overall. I truly hope someday Roblox can perform properly with only server scripts and nothing on the client whatsoever. Any client input should be done on the server but because of performance issues… it should all be done in the most performance beneficial way possible. The things you can do to prevent easily exploitable features such as handling movement of character’s and projectiles on the server are beyond foolish. The replication delay is noticeable and you could potentially be sacrificing success for something that only Roblox staff can truly help us with. I hope that people are able to see this. It may take time. I totally get it. The frustration of exploiters can be overwhelming. But I can’t stress enough that it is important to stay focused on performance because someday it will be over for them just like it was for the Synapse X team. It may not completely stop them… but handling all information on the server would certainly help more than anything else.
Source?
If there aren’t many exploiters in the top games then that probably means they have done something to prevent exploiting or to make it more difficult. Because, logically, when a game grows in popularity, there will be more people making exploits targeted specifically to that game, and also more sharing of exploits for that game so even less skilled exploiters will have access to exploits targeted to that specific game’s vulnerabilities, if there are vulnerabilities in the game.
I don’t think Roblox’s anti-tamper code on the client would be able to prevent all exploits on the client even in the future.
And Roblox also can’t make serverside anti-exploits that are usable in every game because they simply cannot know what kind of things are possible to do legitimately in a specific game.
Could you elaborate on this? What do you mean by nothing on the client? A game cannot work fully on the server, regardless of whether it’s a Roblox game or not.
The server cannot directly listen to user input because the user is physically far away. And, of course, even if the user sends the inputs (like key presses) instead of their results (like movement) to the server, that still doesn’t solve problems because the inputs can be fake.
I guess rendering on the server for each client and sending the results to the clients would be theoretically possible and could help against people changing lighting to their advantage in a game that is meant to be dark or stealing 3D models but it would be a massive waste of performance.
But I may have misunderstood what you meant so please clarify if that’s the case.
https://youtube.com/shorts/UwHaS7cusck?si=gq8Yb6oOV0brYoGL <---- This video is a phenomenal example of why server sided anti cheat is not possible(No matter what you track within a player, movement, teleporting, rotating, velocity, etc., any input can be simulated by an exploiter which allows them to expend 0 effort and setup robot farms)… therefore it is not useful enough to combat popular exploits that create robot autofarming.
So where did Synapse X go? Where did protosmasher go? Hexus? Scriptware? They’re all gone now… but wait… they can’t make serverside anti-exploits that are usable in every game? They sure can and they already have. As far as how long it will be before we see patches to mobile executors… who knows.
12345koip sort of pointed to the idea but honestly you might be right it might not be fully possible to make everything run on the server now that I come to think about it. And therefore I guess cheating will always be possible… just can be made much less likely with more and more things being operated by the server.
This is the most important thing so at least you get that. I will never care about this subject beyond a forum like this where it’s all just about talking and expressing ideas. The only thing I focus on personally when developing is performance and quality.
Good observation. I think bot farming is the greatest example of fake inputs. When I said “Popular Games” Adopt Me and MM2 would be top examples. There are bots everywhere… and nobody can say something like “oh yeah if they just went Jackie Chan on them exploiters with my server-sided anti cheat they wouldn’t have such problems” , not the case… they will always find ways to exploit and until the very moment that their modified Roblox APK files stop working… they will continue to find ways to bypass anti cheats both on the server and the client. The only thing I can think that could work is if you just continuously added anti cheat guessing games that take around 1-2 hours to solve I guess theoretically it could be enough to solve the problem because exploiters are far too lazy to sit there and solve puzzles for hours just to unpatch scripts for a specific game. And if every game started doing that, you can imagine how quickly exploiters would crumble. So basically the same idea that Roblox uses where executors get patched once every week but a more sophisticated version that takes longer to unpatch than executors.
Yes, using bots to farm currency or other valuable in-game things surely is difficult or maybe even impossible to detect. But I believe it mostly affects the economy of a game, not so much the gameplay. Or what kind of bots are you talking about? I didn’t understand what was happening in that video. Usually, exploiters are annoying because they ruin the gameplay for others. Things like teleport detection, flying detection or speed detection can help against a lot of annoying exploits even though they don’t help against bot farming.
I believe you are right that even top games don’t try to fight against all exploits but I believe that they do care about exploits that can be dealt with in a way that isn’t too complicated or heavy for performance.
Exploit software is ran on the client. It cannot be detected directly on the server because it’s impossible for the server to know what operations are run on the client. If these exploits have been patched, that has been achieved with Roblox’s clientside code. Roblox’s client code has access to more things than Roblox games’ clientside Luau code. I don’t know how exactly exploits are detected but I remember reading somewhere that one way is by observing for unexpected memory operations. Client code that directly detects exploit injections does not need to care about how a specific game works so it can be used in every Roblox game. Because it’s clientside detection, new exploits do find ways to bypass it, but since it’s being actively developed, more and more exploits are patched over time. So it’s an endless competition between Roblox and exploit software developers. Hyperion apparently has helped a lot in reducing exploiters but it still runs on the client so it’s not impossible to bypass.
The server can only detect exploits by observing whether the changes that a player is requesting the server to make to the game state should be possible. Whether something like teleporting and flying should be possible in a game is game-specific so it’s impossible to create a serverside anticheat that is usable in all games.
Clientside exploit detection and serverside exploit detection both have their pros and cons.
Client:
Server
The fact that specific exploit software has been patched is not related to serverside anticheats.
This was by far the most important thing you said. Not only do I agree with you but that ties directly into my theory that if developers were to be in their own endless competition with exploiters, that exploiters would crumble. This is why I believe that guessing games could work, hence why I got the solution to this forum. I don’t believe it’s as easy as a server to client to server model(it’s a good foundation to start with but you can extend and improve this model especially if you do your own whitehat exploit testing with an executor). Quantitative data is crucial to making it work because the larger quantity of functions and information in your game that exploiters have to figure out, the longer it will take them and it will just get to a point where they will start to feel like the benefits of exploiting are outweighed by the time it takes to unpatch their scripts every week.
There are many exploits that simply cannot be detected or patched by hyperion, let alone some luau client ac. These exploits include anything that only needs to read memory: aimbot, autoparry, save instance, macros and esp (there are ways to patch it on the server but it is expensive). Reading memory and simulating inputs cannot be detected without a kernel ac and even then there are ways around it
Even if what you are saying is 100% true it completely misses the main point of what I was saying.
i really don’t understand this?
Good luck using a local script to find out that you have to guess the exact integer from the server every single time between 0 and 2,147,483,647. 
also theres not really a big scary anticheat for clash royale-- literally just verifying the elixir, and if they have that card in their deck, it’s almost impossible to bypass it, because its so simple.
an anticheat doesn’t affect performance if done correctly
What I was saying is the only way you can bypass the anti cheat where you send a random code to the client that then gets sent back to the server is if someone finds a way to exploit the server script that creates the code to where they can get the code exactly right every single time. Otherwise you would be trying to fire the server with a code that could be anywhere between 2.147 billion numbers. At least if you are smart you would make your code generations complex like that. I can’t speak for everyone.
Explain how you are going to detect an aimbot on Roblox when Roblox will never give you the tools to patch or detect read only exploits. Exploiters have pretty much “won”
A cheat can be defined as maximizing unfair advantage by exploiting tolerances. As such, the cheater always has the advantage because gaming is full of gray areas. While it can be limited, it can’t be solved for perfectly because there will always be a concern that the player might just be good instead of cheating. As such aim bots are impossible to detect if optimized for it. Even in extreme cases like game logic and rendering happens on a server and you are just streaming io, there are tolerances to exploit there as well, though it’s probably minimized as much as is feasible. (Imagine an external system that uses AI to analyze the screen and modify your inputs for a screen space aim bot).
The most you can do is design your game to minimize these advantages. Some can be perfectly solved for like games with obvious discrete states (like chess), but most don’t have perfect solutions.
I don’t even remember what this thread was about. This is getting off topic. We were discussing how client side anticheats don’t work, or at least work only temporarily where server sided ones are permanent (though have leeway by necessity). That discussion was only a tangent to the OPs request and now we are discussing a tangent to that tangent.
Either way its important to understand that if an exploit doesn’t inject, it cannot be detected without a kernel ac
an exploiter could make a new local script, destroy the old one, and do the same thing your original local script was doing (sending info back and forth), which i personally DO not recommend doing, just make sanity checks (ex. if you have a gun system, when a client shoots, take one away from their ammo, if they don’t have enough ammo, dont replicate the shot to other clients)
heres an example of a remote spy, whenever a remote is fired, it just prints the arguments, but still lets the remote “work”:
Nah everything here is pretty much on topic and I wouldn’t call it “going off on tangents”. I already took one person here up on the offer of trying to bypass my client sided anti cheat. Haven’t heard back from them yet. I plan on taking more people up on the offer if it is successful after the first person tries to.
The tools for this are against tos to use. Otherwise I would take you up on it (that and the software is probably sketchy anyways).
The closest I could do is just rewrite any client sided script I want before pressing play (which hopefully is obvious how I would bypass it). Not a perfect 1:1 because it’s much easier, but that’s effectively the only way that anyone could legitimately take you up on it.
Also it’s off topic (though my definition might be more strict than yours so it’s not like this means much). The origin was about what loop they should be using. The answer is none. Because there is no ensurance of execution order, client sided anticheats can be tampered with relatively easily with the right tools, and it’s better to just check that they are behaving reasonably on the server since that’s far more secure, even if imperfect. The rest of this discussion isn’t even directly about this post anymore.
hi! i’m the person you “took up” you sent me what appeared to be an empty baseplate and asked me to send you a video of me exploiting. if you would like to send me a place file, i would love to try and find a bypass.
