How to make sure someone actually beated a level/course?

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
Post Reply
dezoitodemaio
Prole
Posts: 15
Joined: Mon Oct 26, 2020 2:02 pm

How to make sure someone actually beated a level/course?

Post by dezoitodemaio »

There will be a leaderboard in my game and everytime someone beats a level, i make a request to the server, something like: POST 'api/course/cleared/LEVEL_ID'. But this is not safe since anyone could just send a fake call to the api passing any LEVEL_ID they want.

My first idea was record every input from the player, send it to the server and then re-reun the game there. I use box2d for physics but since box2d is not deterministic across OSs/hardware i discarted that option.
MrFariator
Party member
Posts: 509
Joined: Wed Oct 05, 2016 11:53 am

Re: How to make sure someone actually beated a level/course?

Post by MrFariator »

You could implement some invisible checkpoint system, and send the data about the ones player touched along with level clear time to the server. To better guarantee that the data is correct, implement some checksum methodology, perhaps server-side to hide it from end users.

In the end though, I think anyone that is trying to cheat and is dedicated enough will eventually find a way to fake that data, or someone might find an exploit that allows suspiciously fast times. Thus you may have to practice some manual leaderboard moderation either way.
User avatar
Xii
Party member
Posts: 137
Joined: Thu Aug 13, 2020 9:09 pm
Contact:

Re: How to make sure someone actually beated a level/course?

Post by Xii »

On a theoretical level, there is no way to ensure that a submitted score is 100% legitimate. In practical terms, you can make it increasingly difficult to cheat.

First things first, you have to be able to punish cheaters. One way to have that is to tie leaderboard access to paid accounts - paying customers. If your game is free and the leaderboards are open, you will have cheaters and they will consume all of your time manually reviewing scores. But if your game costs something, even a little, most cheaters are deterred because every time they're caught they would have to buy the game again. And if you're flooded with paying cheaters, you can actually afford to hire people to review scores for you!

Then, we can begin to discuss the core of the issue: How do we know that a human being produced the submitted score, fairly and legitimately? Let's consider possible attacks.

Problem: Cheaters can submit any number as their score. Therefore, you cannot trust the score number.
Solution: Require that all submitted scores are accompanied by a replay of the game that produced them, and have automated validation of replays - a system that plays back the replay and confirms the score it produces. If your game engine is non-deterministic, you'll need a replay that stores the positions of all game objects in time, and the validation has to be a little fuzzy to account for differences in floating point arithmetic. That is, check that the replay is within reasonable bounds.

Problem: Cheaters can meticulously craft tool-assisted replays (see: Tool-Assisted Speedrun community) to produce scores better than a human could.
Solution: The actual content being played has to be 1) impossible to predict in advance, and 2) time-limited from publication.

In essence, your game needs procedural content. When a player starts a new game, the client asks your server for a level. The server sends a random level, and stores the current time for this session. When the player completes the content, the client sends the score and replay to your server. The server stores the time it took for the player to complete the content, validates the score from the replay, and verifies that the replay is (about) the same length as the time. You'll need an upper limit on the allowed time to qualify for leaderboards. This means that the content has to be completed in one sitting, in a matter of hours.

Problem: Cheaters can modify the game client to reveal information hidden from normal players.
Solution: Design your game in such a way that there is no hidden content. No secrets. No fog of war. No surprises of any kind. Nothing to be gained from being able to see the whole game world from the start.
Alternate solution: Send the content in chunks to players, requiring the replay for the previous chunk before sending the next one. This consumes more computing resources from your server, but allows for unknown information across the game.

Problem: Cheaters can program artificial intelligence to play the game for them.
Solution: Manual review. Does it look human?

And now we've reached the end of our capabilities as game service providers to prevent cheating. If someone manages to develop a human-like AI for your game that plays it better than the humans can, they've earned their score. :3

All of this doesn't have to be perfect. You can only verify some of the replays randomly. You can only manually review some of the cases randomly. The possibility of being caught keeps most people honest. If a cheater is discovered, their account is banned and all their past scores are removed from the leaderboards.
User avatar
zorg
Party member
Posts: 3436
Joined: Thu Dec 13, 2012 2:55 pm
Location: Absurdistan, Hungary
Contact:

Re: How to make sure someone actually beated a level/course?

Post by zorg »

Just one thing i wanted to mention, in case any confusion would arise; TAS or not, speedrunners are technically not malevolent cheaters, they just like finding ways to play the game differently than how the developers intended them to be played; some might not consider that cheating at all. :3
Me and my stuff :3True Neutral Aspirant. Why, yes, i do indeed enjoy sarcastically correcting others when they make the most blatant of spelling mistakes. No bullying or trolling the innocent tho.
User avatar
Xii
Party member
Posts: 137
Joined: Thu Aug 13, 2020 9:09 pm
Contact:

Re: How to make sure someone actually beated a level/course?

Post by Xii »

zorg wrote: Thu Dec 31, 2020 3:34 am speedrunners are technically not malevolent cheaters, they just like finding ways to play the game differently than how the developers intended them to be played; some might not consider that cheating at all. :3
There exist malevolent speedrunners who cheat. Such people are banned every so often from speedrunning communities. The latest controversy is a statistical anomaly in loot drops against Minecraft speedrunner Dream, whose runs were disqualified on account of unnatural luck. Cheating is based in misrepresentation. Legitimate tool-assisted speedrunners disclose their methods as superhuman. My point was that the technology exists, and can be used for evil. Not that all speedrunners are cheaters.
Post Reply

Who is online

Users browsing this forum: No registered users and 46 guests