/drop exploit, a post-mortem.

How we were alerted.
I was bored and checking various automated systems, and comparing them against stored logs. The system had flagged up some suspect accounts, where there was a difference between the items spawned with / picked up / bought, and the items that they had in their inventory on the next spawn. Looking into this further, I saw masses of weapon drops, a single weapon being used, followed by an inventory manager transaction, a weapon /drop, and the weapons being picked back up. So myself and Nightmare hopped on staging, started testing, and I started looking through the inventory manager, item drop and weapon drop codes.

How did the exploit work?
The exploit worked by using the interaction between two unrelated systems, the inventory manager and the /drop command. When dropping weapons from the inventory, if you drop all the weapons in your inventory, you automatically de-equip the weapon you're holding too. The inventory manager doesn't do that, however. This meant you could have no weapons in your inventory, but still have one equipped in your hand. /drop didn't care about that, it would always create a weapon item anyway. So, as long as an exploiter had a friend they could get their other weapon back from, they could repeatdly do this (albiet only with single weapons, and each round could take up to 60 seconds).

However, the inventory manager was only a single method of being able to exploit this. Administrators could have used it by spawning weapons from the Q menu (though I found no evidence of this), or if players have had items removed with the item take command, this condition could also have been present.

Has it been fixed?
No, I'm telling everyone how to do it because I specifically didn't patch it. /s
Yeah, it's been pached. And the fix was Q/A'd. I'm shocked.

How was this fixed?
/drop was patched. If the player doesn't have any of the selected weapons in their inventory, /drop acts as /holster.

What have we learnt?
Well,
1. Old code doesn't always do what you expect it to do when you integrate it with new systems.
2. We should always check for edge cases, even when other systems should prevent those edge cases.

Will those who used the glitch to dupe weapons be punished?

What have we learnt?
Even though there's tonnes of suggestions being made every week, Doctor Internet still has chance to be bored.

(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

(Nov 28, 2018, 07:55 PM)StephanGH Wrote:

(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.

(Nov 28, 2018, 10:21 PM)Dicky Wrote:

(Nov 28, 2018, 07:55 PM)StephanGH Wrote:

(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?

(Nov 28, 2018, 10:26 PM)Quest Wrote:

(Nov 28, 2018, 10:21 PM)Dicky Wrote:

(Nov 28, 2018, 07:55 PM)StephanGH Wrote: ^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?

Logs, by seeing people dropping weapons, transferring the weapon to their friend and then transferring them back.

Sooo... Ban wave inc?

(Nov 28, 2018, 11:38 PM)StephanGH Wrote: Sooo... Ban wave inc?

That's up to the SA team for specifics. Though just with a cursory glance, there were a couple of people using it. If you have used it, it may be a good time to drop them a PM confessing to it, rather than making them trawl through logs to find exact details.

This is why Doctor Internet is Doctor.

He has a fucking post-mortem for game bugs.

kewl!!

If only code was tested before hand @Doctor Internet

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand "Doctor Internet"

Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.

i would like to confess yes

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand @Doctor Internet

If only people didn't try to exploit and abuse every little bug they find instead of just reporting it to a Staff Member/Dev

It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.

(Nov 29, 2018, 06:36 PM)Cole_ Wrote: It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.

All it takes is one misclick from the wrong person and BOOM you have a game breaking bug

(Nov 29, 2018, 06:36 PM)Cole_ Wrote: It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.

I don't think it helps that I patched this on FL and did say what the issue was there. The base gamemode is the same so I feel like it may have caused some people to try it here after they learned the exploit. That is if there was some sort of increase in people doing this in the past month, I didn't realise exactly how old this command is.

It baffles me that they don't realise that eventually someone will either report the bug or a dev finds it at which point you'll be banned and lose all that progress anyway...

Just report the bugs you find.

(Nov 29, 2018, 02:23 AM)Doctor Internet Wrote:

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand "Doctor Internet"

Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.

Lol @ BladeAC

(Nov 30, 2018, 09:26 PM)LiVHDX Wrote:

(Nov 29, 2018, 02:23 AM)Doctor Internet Wrote:

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand "Doctor Internet"

Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.

Lol @ BladeAC

HA, gotem.