Hi there!
I am a Dev of 10 years but only started FiveM development about a month+ ago. I ran Gmod servers for over 6 years so I am familiar with general game dev as well as Lua. I have some questions regarding security, exploitation, as well as the server-client model of FiveM.
One thing I have noticed is FiveM’s severe lack of server-side state control. For example, correct me if I am wrong, position setting, damage, and basically most things has the state stored only on clients. If a change to the state is desired you cannot update that state on the server itself, but only on your client and send a net message to the server requesting to broadcast that state change to other clients.
Client Side script injection and knowledge of event names would allow an user to manually trigger a network event passing the arguments of their choosing (like any game). If the use of script injection remains undetected (as is possible in any game), the fallback would be serverside validation. Since a lot of valuable state information is not stored/accessible on the server there is no way to validate the action. This makes for very easy exploitation of events that go from client->server->clients as well as client->server->Database, without the ability to have the server validate that the request is reasonable.
This theoretically opens the door to changing player health, position, and other natively controlled data with little means to prevent it (other than hoping for constant anti cheat updates, and making your own anti cheat which is difficult and in some cases impossible to detect certain things as some aspects need to be deep in the engine code.
Now I know custom scripts we make can have a decent amount of validation on the server. IE selling an item, check if they have that item via SQL query. However it seems a lot of lower level functions and state data are simply outside the server’s scopes and it relies HEAVILY on trusting the requests made by clients.
So I guess with all that said I have two main questions: Is my perception of the server-client roles and exploitability of FiveM accurate, and if so is it possible for FiveM to change the model to a true server master and client slave model instead of the Server simply acting as a middleman between clients for native functionality?