Page 1 of 1

How to make sure someone actually beated a level/course?

Posted: Mon Dec 28, 2020 10:18 pm
by dezoitodemaio
There will be a leaderboard in my game and everytime someone beats a level, i make a request to the server, something like: POST 'api/course/cleared/LEVEL_ID'. But this is not safe since anyone could just send a fake call to the api passing any LEVEL_ID they want.

My first idea was record every input from the player, send it to the server and then re-reun the game there. I use box2d for physics but since box2d is not deterministic across OSs/hardware i discarted that option.

Re: How to make sure someone actually beated a level/course?

Posted: Tue Dec 29, 2020 1:53 am
by MrFariator
You could implement some invisible checkpoint system, and send the data about the ones player touched along with level clear time to the server. To better guarantee that the data is correct, implement some checksum methodology, perhaps server-side to hide it from end users.

In the end though, I think anyone that is trying to cheat and is dedicated enough will eventually find a way to fake that data, or someone might find an exploit that allows suspiciously fast times. Thus you may have to practice some manual leaderboard moderation either way.

Re: How to make sure someone actually beated a level/course?

Posted: Wed Dec 30, 2020 11:38 pm
by Xii
On a theoretical level, there is no way to ensure that a submitted score is 100% legitimate. In practical terms, you can make it increasingly difficult to cheat.

First things first, you have to be able to punish cheaters. One way to have that is to tie leaderboard access to paid accounts - paying customers. If your game is free and the leaderboards are open, you will have cheaters and they will consume all of your time manually reviewing scores. But if your game costs something, even a little, most cheaters are deterred because every time they're caught they would have to buy the game again. And if you're flooded with paying cheaters, you can actually afford to hire people to review scores for you!

Then, we can begin to discuss the core of the issue: How do we know that a human being produced the submitted score, fairly and legitimately? Let's consider possible attacks.

Problem: Cheaters can submit any number as their score. Therefore, you cannot trust the score number.
Solution: Require that all submitted scores are accompanied by a replay of the game that produced them, and have automated validation of replays - a system that plays back the replay and confirms the score it produces. If your game engine is non-deterministic, you'll need a replay that stores the positions of all game objects in time, and the validation has to be a little fuzzy to account for differences in floating point arithmetic. That is, check that the replay is within reasonable bounds.

Problem: Cheaters can meticulously craft tool-assisted replays (see: Tool-Assisted Speedrun community) to produce scores better than a human could.
Solution: The actual content being played has to be 1) impossible to predict in advance, and 2) time-limited from publication.

In essence, your game needs procedural content. When a player starts a new game, the client asks your server for a level. The server sends a random level, and stores the current time for this session. When the player completes the content, the client sends the score and replay to your server. The server stores the time it took for the player to complete the content, validates the score from the replay, and verifies that the replay is (about) the same length as the time. You'll need an upper limit on the allowed time to qualify for leaderboards. This means that the content has to be completed in one sitting, in a matter of hours.

Problem: Cheaters can modify the game client to reveal information hidden from normal players.
Solution: Design your game in such a way that there is no hidden content. No secrets. No fog of war. No surprises of any kind. Nothing to be gained from being able to see the whole game world from the start.
Alternate solution: Send the content in chunks to players, requiring the replay for the previous chunk before sending the next one. This consumes more computing resources from your server, but allows for unknown information across the game.

Problem: Cheaters can program artificial intelligence to play the game for them.
Solution: Manual review. Does it look human?

And now we've reached the end of our capabilities as game service providers to prevent cheating. If someone manages to develop a human-like AI for your game that plays it better than the humans can, they've earned their score. :3

All of this doesn't have to be perfect. You can only verify some of the replays randomly. You can only manually review some of the cases randomly. The possibility of being caught keeps most people honest. If a cheater is discovered, their account is banned and all their past scores are removed from the leaderboards.

Re: How to make sure someone actually beated a level/course?

Posted: Thu Dec 31, 2020 3:34 am
by zorg
Just one thing i wanted to mention, in case any confusion would arise; TAS or not, speedrunners are technically not malevolent cheaters, they just like finding ways to play the game differently than how the developers intended them to be played; some might not consider that cheating at all. :3

Re: How to make sure someone actually beated a level/course?

Posted: Fri Jan 01, 2021 3:04 am
by Xii
zorg wrote: Thu Dec 31, 2020 3:34 am speedrunners are technically not malevolent cheaters, they just like finding ways to play the game differently than how the developers intended them to be played; some might not consider that cheating at all. :3
There exist malevolent speedrunners who cheat. Such people are banned every so often from speedrunning communities. The latest controversy is a statistical anomaly in loot drops against Minecraft speedrunner Dream, whose runs were disqualified on account of unnatural luck. Cheating is based in misrepresentation. Legitimate tool-assisted speedrunners disclose their methods as superhuman. My point was that the technology exists, and can be used for evil. Not that all speedrunners are cheaters.