As a smp server admin I have been experimenting with vulnerabilities people can exploit to cheat or crash the server.
The inventory/chest code Is client side, so people can duplicate things by changing the game code, or ever change what item they have. I have tried it on my server and I was able to change cobblestone to fire.
I'm not too worried though, cause it took me quite some time to find the right class and to figure out how to edit it.
This post is not about how people are able to cheat by changing the client code though, its about how people are able to cheat without changing anything.
I've seen the other known duplication glitch, but it didn't work for me since the server requires lag for that to work.
I've based this glitch on the fact that the server doesn't check if you actually have that inventory.
I do not know if this method is known yet, and also I do not know if I'm allowed to post it on this forum, but here it is:
You require 2 people for this, 1 person makes a chest and fills it with valuable items. both people clear their inventory.
1 opens the chest and looks inside, the other destroys the chest. When the chest is destroyed, all the items fall out but they will still be in the open inventory screen.
I have tested this in single player with a method so you can do it on your own (by setting a redstone tnt trigger) standing 4 blocks away from the chest, and the TNT another 4 blocks away, trigger the lever and right click on the inventory chest.
If the inventory is client side then how is it that I am able to delete the entire minecraft.bin folder, re-install Minecraft, log into a server, and be able to still access the inventory I had?
Are there two copies of the inventory? One on the server for backup and the second on the client side to help decrease server load?
Your inventory is not stored client-side (in multiplayer) but all functions related to inventory, such as picking up items or re-arranging your inventory is handled 100% client-side, with no intervention or verification from the server, which means it's simple enough to inject code that tells the client you put X amount of Y item in Z inventory slot.
Really all the server does is exactly what persister did, which is backup your inventory every so often, and then tell the client what you had when you login.
In single player, the only thing server side is the login. Just to verify you bought the game. I had a friend come over today and he logged into his account (hoping all the data was server side and we could see his worlds/items.) Low and behold, we were in his account, but we were playing on my maps with my characters/items.
So yes, inventories and even worlds are moddable, since they're client side. It's only a matter of when people figure out exactly how to do it. This goes for pretty much any game.
Private Mod Note
Rollback Post to RevisionRollBack
"This is a Vanilla server with the addition of a nice starting area which will contain shops where you can buy things using the currency system."
Exactly, when you move an item in your inventory, it doesn't send to the server "move from slot 9 to slot 10" it sends to the server "move id 51 count 64 to slot 10" and the server doesn't check if the item is actually there.
Item pickups however are server side (doesn't matter when duplicating though, cause when you destroy the chest the items are spawned server side, while the items in the chest are client side and part of inventory which doesn't get checked). so if 2 people would have access to the chest and 1 person destroys the chest it would probably triple the items.