Movement speed client hacking

[gnibeda]

Due to how movement implemented on client and server, there is possibility to hack movement speed by sending additional messages to the server. You can change client code adding loop to increase movement speed 20x times:

        // Send the action to the server
        for (let i = 0; i < 20; i++) {
          this.onActionSend(action);

          // Save the action for reconciliation        
          this.moveActions.push(action);
        }

Code can be simply moddified in chrome browser during runtime in devtools.

[halftheopposite]

Hi @gnibeda, thanks for pointing this out!

This is indeed a problem with the current architecture. A way to solve it would be to force a maximum number of movement actions per second or a minimum delay between actions and drop out the others. Since we are doing client-side prediction, we would also need to make sure they are dropped/ignored on the client as well.

I'll keep this issue open as a next to do.