Bypassing "Poor" Rank with Point Lights by using Particle Systems
tracked
Shinyflvres
In VRChat Avatar SDK 3.10.X and below, it is possible to run a simple exploit that bypasses the Poor rank. What does bypassing Poor mean?
Normally, as soon as an avatar has one light source, the avatar is classified as Poor. If a user blocks Poor and Very Poor avatars, that avatar should be blocked. However, with this exploit, the SDK can be tricked into reporting the avatar as Good.
Symptoms
- The avatar shows the Good rank in the Test SDK build
- The avatar shows the Poor rank once uploaded as a normal avatar
- The Poor avatar still behaves as Good even when labeled as Poor
Steps to reproduce
- Create a Good avatar
- Add a Particle System to the avatar
- In the Particle System, scroll down to Lights
- Create a Point Light in the scene but outside the avatar
- Create a prefab of the Point Light
- Insert the Point Light prefab into the Light slot inside the Particle System
- Increase the light count to 20 or even 1000
- Upload the avatar as Test using Build and Test
Result
The Test SDK avatar is shown as Good
- Upload the avatar normally
Result
The avatar is shown as Poor and reports only one light source
Now the absurd part
- Use the Poor avatar that was just uploaded
- Ask a second player to block Very Poor and Poor avatars
Result
The avatar is still visible even with Poor and Very Poor avatars blocked
Affected Platforms:
PC, PCVR, Quest
How Curcial is this Exploit:
I did a test in a private black cat instance. 25 Players did block my avatar. I was able to crash 18 persons by using this.
Video showcasing the issue with the test avatar; https://files.catbox.moe/nv2h2c.mp4
Expected Result:
VRChat should count every single Light Source no matter if its inside a particle system or outside a particle system. it should also be blocked on Quest (like it does on mobile)
Log In
Dexvoid
marked this post as
tracked
Thanks very much for reporting this issue to us!
Shinyflvres
Dexvoid
You may track this reported issue by Captain and me as well as it is another SDK issue that is crucial.
This issue exploits the fallback system. It is possible to upload an “Very Poor” Avatar as a fallback.
Shinyflvres
Another Image of a test person:
Even after World Re-Join, Switching World their RAM usage is almost at max. This is harming the Memory Sticks if remain constantly. I changed my mind on how crucial this exploit is. it is Beyond Crucial
Shinyflvres
Update.
You are able to kill the Memory of an user with this exploit.
I have tested the Particle Light Spam on me and a friends computer. The Spam can allocate between 15 and 30 GBs of RAM. And the ram is not cleanable until you restart VRChat.
WubTheCaptain
I tested this with you in a world yesterday, and I was unable to reproduce this memory leak with particle lights using your public avatar with 1000 max lights.
Specifically, while my 16 GB VRAM was fully utilized temporarily during particle lights spam, allocated RAM didn't go up by more than a few GB and staid stable there for consecutive tests.
Shinyflvres
WubTheCaptain
That is true, but it can still happen to others, as we found during testing with 25 different people. It depends heavily on mesh complexity.
The more complex a world is with many meshes, and the more rotation and noise you add to a light particle that moves unpredictably, combined with a wide light range, the more likely issues become. This combination can cause excessive memory usage in Unity based software.
In short, a mix of large light ranges, high movement speed, unpredictable motion, and complex meshes can force the local client to perform extremely complex and frequent shadow and light casting recalculations, which may result in memory leaks or severe performance degradation.
WubTheCaptain
> Normally, as soon as an avatar has one light source, the avatar is classified as Poor. If a user blocks Poor and Very Poor avatars, that avatar should be blocked.
This is a misunderstanding. Per Avatar Performance Ranking System § Minimum Displayed Performance Rank, all lights should be removed in this scenario. The avatar would only get blocked (replaced with a fallback/impostor) if it exceeds one of the following stats:
- Triangles
- Texture Memory
- Skinned Meshes (Skinned Mesh Renderers)
- Basic Meshes
- Material Slots
- Bones
E.g. an avatar with too many physbones but otherwise being good would be shown, just with physbones removed/disabled. The light gets removed from the avatar stat here, however the actual point light particle doesn't get removed from the particle system on Windows (but afaik it is removed on mobile platforms, because of this popular reddit thread: Quest Compatible light sources!).
Shinyflvres
Additional Notice
Even if the avatar shows one light after a normal upload, the Particle System can still spawn hundreds or even thousands of lights. The system should validate the actual number of active lights and classify the avatar as Very Poor accordingly.
All performance checks should be enforced online and server side, not locally based on the Unity Avatar SDK. Currently, even when an avatar is labeled as Poor, it still behaves like a Good avatar in practice, which is misleading and defeats the purpose of the ranking system.
You can test this exploit using the avatar I have made public here:
- Use Avatar
- Let others block you (very poor and poor)
- Open Radial menu and spam lights
WubTheCaptain
> the Particle System can still spawn hundreds or even thousands of lights
There's still a cap of 1,000 maximum particles before those particles are removed from an avatar under Performance Ranking System, however afaik that limit can also be bypassed by overflowing the particle counter into negative (-2,147,483,647), which makes it read and count as "Excellent" in performance ranking.
It's also affected by Particle Limiter in settings.
WubTheCaptain
This same exploit was patched a few months ago on mobile platforms, which allowed lights to be used on mobile. It still exists on Windows, apparently.