Noticed that the Lyra project players can execute RPCs like the GA_Hero_Dash ability and dash infinitely across the map. There’s no protection against it, needs a cooldown at minimum server side.
2 Likes
As far as I can see the GA_Hero_Dash ability holds a cooldown gameplay effect and commit ability is getting called in the server. Or… you mean something else that I might not be seeing?
That is only if you’re triggering it through the Gameplay Ability System as intended.
The flaw is in the actual ability blueprint, there is an RPC that a player can send to the server, which circumvents the entire system and “Commits” the ability on demand entirely client authoritative.
Simple repro for devs: creating a custom event with a ForLoop node 10+ iterations, invoke the custom event RPC in GA_Hero_Dash (off the top of my head, it’s called SetInfo or something). Observe the player teleport. You can also do this from C++.
It can really be invoked from anywhere (in the blueprint, from another blueprint, from code, from memory, or I’d wager even modify a packet in flight to multiply or modify it) and that will skip any cooldowns. Send 10 RPCs in a single packet, the server will process and run the Dash 10 times in a single frame server side thus for all other players.
Totally! As a hotfix, a branch after the commit will solve it (probably further research implied as I’m getting rolled back from time to time after applying this patch).
1 Like
Awesome! TIL that’s what the return value is for on Commit 
1 Like