I'm curious about how Roblox's security works

I’m not a hacker, but I need to know how these hackers work, sadly.

Basically, a hacker can do whatever they want locally, but not on the server.
What’s stopping the hacker from making a local function that tells the server “the player earned this/that, so you should give it to them”?

If you have a system that rewards items and stores them as data, why can’t a hacker just tell the server portion that they do deserve to have all the best stuff for free?

secure your remote events and dont make remote events that give you things

Tie literally everything to remote events to overwhelm them.
surely it will work.

So the solution is to just don’t? I guess that does make sense.
What can a local button do that a server button can’t other than be snappier with high ping?

So that’s why fishing is so frickin prone to being affected by ping.

anything entirely client side

most ui can be coded locally with no problem as long as youre not making like, a “give money” button which even then anyone could just autoclick

but yeah basically never trust the client, if sending anything to the server, check on the server if what the client is sending is legit

Well what I have right now is a local button that gives you whatever is set in the script, but it’ll probably be more like AO’s treasure chests in the future, which, come to think of it, are also very bad with high ping.

anything on the server is gonna be bad with high ping, unfortunately roblox cant handle a game like ao with so much going on on the server constantly

learn to optimize and 90% of people will be ok, high ping will always suck no matter what and even if you did handle them opening locally the item you get would still be on the server with a delay

Thanks for the help

yw i wish you luck with your project

Hey so the new thieves are clientsided right

New galleon farming method just dropped-

Sometimes you have the best ideas for no reason

I am notorious among my friends for finding the most devilish and fucked up ways to break every mechanic of an rpg I come across

Do not ask my dnd group about the instant death aberration, the instant death aberration does not exist

I am not experienced with Roblox anything, but whenever you have a client running on someone elses computer, you assume it is malicious. Physical access is complete access, so the server that you control must be the source of truth.

In games this means the client is allowed to inform the server about the local game state (“The player character moved to [100,100]”).
It’s up to the server to check this, update its own state, which is the “true” one, and inform all other clients about the changes (“No way, you were at [0,0] 10ms ago, best you can get to is [10,10]”).

This is usually done in separate and “unreliable” packets, since a full duplex connection would be more latent and expensive.
The client is allowed to predict that the packets reach the server and get accepted to give you a more responsive experience.
This works great when the client is right, but if a network issue arises somewhere in the middle and you drop packets, the server will miss them and slap you back into place, i.e. you rubberband.
This is also why there is usually a small discrepancy between what you see on your screen and what is “true”, i.e. what the game state is on the server.

Don’t question the “let’s guess the future and hope we’re right most of the time” approach too much. It has actually been used for decades in multiple areas of computing and enables a lot of the things we take for granted lol.

Now Roblox’s remote events are probably a form of remote procedure calls.
Basically, the code is stored on the server and thus assumed to remain untampered.
The client is only allowed to initiate a run of a procedure. Obviously, only existing procedures created intentionally by the programmer can be called upon by the client.
Since they run on the server, they know the “true” state of the game and can confirm if an action is allowed.
So all your code that checks for validity of some action should be a remote event that runs on the server.

That is all how it works in theory, at least. Roblox’s implementations might be different (unlikely), and your remote events could be exploitable in many ways.

3 Likes

they might be spawned on the server and just run on the client or theres just a cooldown/good sanity checking

i was concerned about it when they were added tho

From the explenation on the trello, it looks like each individual citizen spawned just has a random chance to be a thief, so you can just spawn an absurd amount of citizens in one place, walk into them, then self explode for a free 1.666…x multiplier on your current galleon amount

ifg how server and client things work but i assume that the server would handle randomizing the npcs while the client spawns them meaning it wouldnt be possible.

either that or the game checks if the thief you killed was real

I’m still in the mindset of “Galleons don’t matter” so I forgot that you can buy a Sunken Sword with that.

“The great galleon crash of 2025”