Is hacking/cheating possible in CryoFall?

Started by ai_enabled, November 13, 2018, 12:25:40 AM

ai_enabled

TL;DR:
No, hacks are NOT possible in CryoFall as it uses an authoritative-server model and any client-side changes are irrelevant.


And now, the longer version below:

The issue
Some players have asked us about potential hacking/cheating in CryoFall. Whether it is possible and what our approach is.


The bigger picture
Such concerns are expected nowadays - there are a multitude of broken online games released in the past few years. In fact, cheating is almost expected in multiplayer and online games these days. And even big successful games like Fortnite and PUBG are suffering from cheaters and their developers going as far as even suing the cheaters. Mass-blocking the accounts of players suspected in cheating is something people are already used to.

Naturally, why would anyone expect a new indie project from a small team to be any different? But in reality the above mentioned problem doesn't have to be the case!


The simple reality
We're using authoritative server architecture which means that the server never trusts the client - it simply executes a limited set of allowed input commands and runs its own independent world simulation.

Normally this approach means that the client will have to wait for any changes to take effect but in our case the latency is concealed by using client side prediction algorithms (basically client-side simulation for player movement and most of the actions including items management).

The server also doesn't send any information to the client which it should not be receiving. For example, your visual scope is limited by the server and attempting to hack the client to zoom out the camera more will provide no benefits as the server simply doesn't stream the world objects and characters outside the visual scope of your character on the server side. It means that the "map hack" (or any other hacks for that matter) is not possible.


Benefits of open source
Please also note that all the game-related code is fully open source and it's possible to see how everything is done and understand how it actually works.

It also means that any person could try to locate any places where we might have forgotten to put some necessary checks (which is quite unlikely, but could still be the case). There are dozens of remote procedures (such as "eat food") and we have multiple checks there to ensure that you met all the prerequisites to invoke such an action for the particular item in your current character's state.

As the code is available in open source it means that there will be many eyes reviewing the code and reporting any of the possible exploits - something which could never be possible with a closed source game.


Hacking attempts
Since the game has full support for client side modding it is possible to make any client-side changes. Some "hackers" may be impressed by the "results" they get with their attempts - like increasing their health points, weapon fire rate, inventory capacity or setting the technologies unlock price to zero.

But naturally, such changes could not be propagated to the server as it has its own persistent state inaccessible to players and running independent world simulation with it. There will be a discrepancy with the server and that's it - the server will not agree to the hacker's actions and they will have no actual effect whatsoever.

Basically any client side game-state changes are completely pointless.


Is there ANYTHING that is possible then?
This leaves us with really only one class of exploits which are still technically possible and that is bots/macro/aimbots to assist players with the game. Yes, it's perfectly possible to write a bot that would automate certain actions (e.g. gathering items) or assist in performing other actions.

In fact, such mods already exist and are available for PvE servers if you'd like to use them. They are allowed on PvE servers since there is no competition between players and the game is designed in such a way as to make them pretty much useless either way. They are just small QoL improvements if this is how you prefer to play.


What about PvP?
Since players preferred for PvP to be played without ANY mods at all we added several additional layers of protection to ensure that no mods or hacks could be used on PvP servers. In fact, this setting is available to everyone and if you are running your server you can choose whether you want to allow mods or not.

So, what safeguards are in place for PvP?
- executable anti-tampering
- binary integrity checks
- network encryption
- critical component obfuscation
- code virtualization
- and a number of other methods
All of the above is used to prevent any client-side modifications when playing on special secure PvP servers. And as explained above, our existing authoritative server model makes server-state hacks categorically impossible.

But if you are running your own server (especially PvE) there really is no reason to disallow mods. You don't have to be afraid of mods, the game is already designed in such a way to account for mods being used. All game mechanics are designed in such a way to minimize or completely remove any unfair advantage that can be gained with mods even if they are used. So, unless you specifically want to prevent people from using QoL mods like automated gathering of items and such, it's better to allow mods on your server since it allows people to customize the game to their liking and add small QoL improvements or different convenient features.



Conclusion
The bottom line is, there is really no possibility for hacks in CryoFall due the authoritative server model we are using. Any potential client-side advantages that can be gained with mods is minimized by smartly designed game mechanics, and for competitive PvP servers a special secure mode implemented prohibiting any client modifications in the first place in order to ensure a level playing field for everyone. Hopefully with this approach - CryoFall could be one of the very few games where there are no cheaters and everyone plays under the same rules! :)

Regards!