Preventing Persistence Exploits from Multiple VRChat Instances
Trudolph
The ability to open two instances of VRChat in separate windows under the same account, each being a different instance of the same world, creates significant issues for any game world that relies on persistence.
I'll refer to the two windows as "Window 1" and "Window 2." Both are running the same world but in different instances.
If a player performs an action in Window 1, such as getting a reward or losing progress, and the world saves that, they can simply close Window 1, switch to Window 2, and wait for the world to save their data. This will entirely overwrite the changes from Window 1, restoring their progress as if nothing had happened.
This exact issue happens very commonly on mismanaged Minecraft servers, where you can have two instances open on the same server but in different subservers. This is most commonly used to duplicate items, which no RPG-style game world wants.
An example in VRChat would be the world "Project Aincrad". If, in Window 1, Player 1 trades 10,000 in-game coins they have to Player 2 while Window 2 is up, then at the end of the trade, when the game forces them to save their persistence data, Player 1 in Window 1 will have 0 coins, Player 2 will have 10,000 coins, but Player 1 in Window 2 will still have the 10,000 coins, meaning that 10,000 coins have now turned into 20,000 Coins.
I'm not very technical, so this is more of a guess for a potential solution, something like only allowing Window 1, or whichever window was first in that specific world, to be capable of changing the persistence data for that user and world.
Log In
FTWGaming0
VRChat has an "Offline Mode" that it uses for world developers to be able to test the worlds they're making by launching the game directly from the VRChat SDK in the editor. I think if this is the case, then the website informing the player that they have logged in from a different location shouldn't have any effect on the client, however if running normally then the game can see this message and either log the user out or simply switch the old client into offline mode.
An easy implementation of this could be by using the same system that allows invites and invite requests to be sent to the player from the website, sending a message to all connected websockets for an account when that account is detected logging into the game directly. Naturally the client that logged in will see this message too, but if it sees the same message more than once then it should know that the user has logged in from somewhere else and flip to offline mode. A simple location check from the servers that the persistence data is stored from wouldn't be sufficient to prevent the exploits if two clients are still permitted to exist in two instances of the same world from the same account, all that would do is mean that the player would have to play from the window that can't save and we're back to square one.
However, if preventing two clients from being authenticated in two places at once is too challenging, a simpler (and arguably more/less preferable depending on who you ask) solution would be to allow persistence to be used to transmit data between instances by turning this bug some form of feature. A player's persistence data in one instance would propogate to the other and if a new override is made in Udon, the world creators will then have a way to detect when this happened and they can then innovate to design new worlds and games driven around the idea of playing twice at the same time, or they can use it to detect the exact exploit in this thread and design anticheat systems against it.
Either way, I think this problem is far too important to be ignored as it is fundementally ruining the possibility for things like MMOs to be developed and created in VRChat without the communities destroying them in mere minutes.
Trudolph
FTWGaming0 "ruining the possibility for things like MMOs" not even just MMOs, just anything that uses Persistence for actually important game data. An example being the world 'Steal a Plushy' you could have someone take one of your Plushies in Window 1 and get your data to save in Window 2, causing all of the taken plushies that your friend now has to be given back to you as if your friend never took them in the first place.
鳗鱼之歌
We players need a better server.
Frenetic Furryǃ
never knew you could just do this, vrchat needs significantly better developers 😭
ÐARKNESS
This really does need fixing, it limits the amount of work done in vrchat and might make vrchat less popular, for those who want to create massive games in vrchat won’t be able to get far if persistence allows exploits, it be a cool game yes, but it’ll be a game that’s only played for a short time until people get bored, making grindy games, not grindy. 😭 please fix
Vector Lotus
This issue needs to be addressed. Currently, the same account can exist in a different instance of a world with persistence enabled. It appears that persistence data is saved only upon exiting the world, rather than when the "Save" button is explicitly pressed.
To resolve this, I propose implementing a system that checks whether the same account is present in another instance of the same world. If so, the system should remove the user from that instance. However, considering this restriction might interfere with testing purposes for developers, it would be beneficial to provide world creators with a specialized tool to bypass this restriction when needed.
owlboy
This seems like a tough one to tackle. But it should be taken care of.
Trudolph
The 2nd window/instance being able to access the persistence data at all is a risk to any world that actually uses persistence.
Using Project Aincrad again as an example because that's the biggest world this effects and as far as I know, uses persistence on this grand on a scale.
Both Window 1 and Window 2 have the same copy of the data, meaning if I trade something to someone in both Window 1 and Window 2, whatever was traded is doubled because now it's now been traded to the 2 other people in Window 1 and Window 2.
tldr; Both Windows being able to access that same data is bad!!!
Min3craftiscool
This needs to be solved because I've seen so many people abusing this to keep or change their save data, duplicate items, or avoid repercussions for actions being saved and it's not fair to other players, especially standalone users or other types of players who can't open more than 1 tab.
KravenDA
why are we even able to login from 2 places at once? what? That actually works?
ZenithVal
KravenDA It's an important test tool for world devs. (and occasionally avatar devs)
KravenDA
ZenithVal With the greatest respect... no testing tool is worth a massive security exploit.
Argо
I would love if this was a thing not only does it help aincrad but also just other worlds that just have save systems in general.
-НI-
Argо W pfp
Load More
→