Exploit: Multi-Client Persistence Data Rollback/Overwrite
tracked
Nex1942
Hi, as a world creator, I’d like to report a potential exploit in the persistence system:
- Players can run multiple VRChat clients simultaneously and join two different instances of the same world.
- In one instance, they intentionally spend all their in-game currency within the world.
- Since they remain logged in a different instance of the same world, they can leave and rejoin the first client to revert their spent currency by overwriting the persistent player.data file.
Currently, there appears to be no reliable way to detect or prevent this intentional rollback behavior. To discourage such exploitation and maintain fair gameplay, I recommend implementing a "Pull Player Data from Server" feature. Alternatively, introducing an automatic periodic sync mechanism (e.g., every 10–30 seconds) would help ensure that player data stays consistent across all active sessions.
I would greatly appreciate it if this could be addressed in a future update. Please keep me informed regarding any developments on this matter.
Log In
WubTheCaptain
For the record, this is documented behavior: https://creators.vrchat.com/worlds/udon/persistence/#data-storage-in-different-environments
> If you open VRChat multiple times on the same account in the same world at the same time, you may cause conflicts and accidently overwrite your own data.
Deantwo
This could maybe be solved with some form of sequence number system on VRChat's end.
When user's data is originally loaded, the server gives a random sequence number in its reply. Every time the client sends a new data save requests, it increments the sequence number. If the server detects wildly out of order sequence numbers from a client, it can mark one of the client connects as out of sync and ignore all save requests from the older client connection. Handling an error in a way that than informs the player could be the world creator's responsibility, or the VRChat client could give an error message stating that its persistence saving has been disabled.
I am not saying this is a perfect solution, or that it would be easy to design, but it is just an idea I came up with when comparing this issue to how IP/TCP works in some ways.
Either way, I am sure VRChat devs will have a better understanding of what is and isn't possible.
StormRel
Merged in a post:
WubTheCaptain
WubTheCaptain
Duplicate, can be merged with: https://feedback.vrchat.com/persistence/p/preventing-persistence-exploits-from-multiple-vrchat-instances
Dalken Starbyne
I've been doing some thinking on this, and my feelings I think can be summarized thusly:
The fact of the matter is that persistence has introduced a very important change: instances are no longer entirely self-contained. The consequences of actions from one instance can carry directly into another. The Terms, and our ability to respond to this as a community, have to be updated to reflect that change. Regardless of what those updates might look like, they are in fact necessary.
I don't feel like that's probably something most people would disagree with?
Fax
marked this post as
tracked
Uzer Tekton
Allowing multiboxing and Persistence in Udon are fundamentally and philosophically incompatible features.
VRChat needs to make up their mind, if they want user content to flourish, they need to treat the game like a game, and less like a fancy chat room with VR tacked on.
VRChat needs a completely focused approach to fixing the platform by heavily upping anti-cheat like any AAA game would do. No more stupid things like multiboxing.