Even tough CreateVehicleLocal should be only noticeable on client that executes it its Not. After effects (explosion) of an object is still Global. Making any hacker easily wipe a server without ANY logs. There is also fairly known way to bypass Script.txt that Im sure you are aware of.
- Legacy ID
Steps To Reproduce
Simply execute this on any client connected to a server:
// 4000 letters of nothing here.
"Bomb_03_F" createVehicleLocal (getPos _x);
} forEach allUnits;
Any bomb would work.
Fix? : Make CreateVehicleLocal filters by CreateVehicle filter?