[2022] Tool-assisted Pantheon Mod Farming

In this post I want to discuss an illegal third-party program which allows players to see what Pantheon Archnemesis Mods are preloaded in a map, in order to farm the valuable ones. This has been a hot topic in the community and there is a lot of misunderstanding related to it. I will describe the mitigations we took proactively during implementation and a hotfix that we made today that solves the issue entirely.

The short explanation is that we had already considered and mostly mitigated this exploit when we implemented Archnemesis mods, so it wasn't of much value to take advantage of, but we have now completely eliminated it.

Here's the longer explanation, if you're interested in technical details:

Some Archnemesis modifiers are more valuable than others because they perform drop conversion (for example, converting all the drops to currency items). These modifiers are the ones attached to Pantheon mods, and hence have quite large visual effects that consist of entire bosses appearing to attack you. When we added these, we knew that we had to preload the appropriate effect on the client so that the user was not killed before it could be displayed on their screen.

When the instance server instructs a game client to preload an effect, it's possible for illegal third-party software to see that request and to tell the user about it. This means that if you were to enter an instance where the game was requested to preload a Solaris-touched mod, you'd know. This would let users farm these mods efficiently.

However, when we implemented this system, we thought of this and set it up so that it always preloads a random Pantheon mod, regardless of whether a monster actually has that mod in the area. This means that you can't use the preload request as a way of seeing whether you're going to encounter that monster in the map. It just means that if you encounter a Pantheon mod, it'll be that one.

Yesterday, the community started discussing this technique and we investigated. We determined:

a) What players were actually doing was using the preload request to rule out the presence of other modifiers. For example, if the client is asked to preload the Brine King-touched mod, and the player doesn't care about that mod, then they know the instance cannot have any other Pantheon mod present and they could just skip that map in their hunt for better mods.

b) The mitigation we have already in place functions correctly and players cannot tell whether the indicated mod is actually present or not. This means they'd have to waste a lot of time hunting for false positives.

c) In addition, this process would be very wasteful, costing them a lot of maps and also whatever juicing resources they wanted to speculatively put into those maps before they even knew if they were going to encounter the relevant mod.

The community were concerned that the technique would allow nefarious players to quickly open a lot of maps and be able to see exactly which ones had a specific mod. The reality is that the overall efficiency benefits of the technique were limited and offset against the potentially high resource cost and high risk of being banned for it.

Early today, we deployed a hotfix that completely removes this problem.

We haven't seen widespread abuse of this technique, despite the exposure it got, probably because it offered only marginal benefit due to the mitigations we had in place and would actually cost a lot of currency to do with levels of juice that would make it worthwhile. Of course, we'll ban anyone we do find who has done it.

We're planning to deploy a patch in the next couple of workdays which introduces the improvements to Archnemesis mods that we outlined yesterday. We are also aware of further feedback about the Lake of Kalandra expansion that hasn't been covered in our communications yet and will resume our discussions of this when we get the team back in the studio after the weekend.

In this post I want to discuss an illegal third-party program which allows players to see what Pantheon Archnemesis Mods are preloaded in a map, in order to farm the valuable ones. This has been a hot topic in the community and there is a lot of misunderstanding related to it. I will describe the mitigations we took proactively during implementation and a hotfix that we made today that solves the issue entirely.

The short explanation is that we had already considered and mostly mitigated this exploit when we implemented Archnemesis mods, so it wasn't of much value to take advantage of, but we have now completely eliminated it.

Here's the longer explanation, if you're interested in technical details:

Some Archnemesis modifiers are more valuable than others because they perform drop conversion (for example, converting all the drops to currency items). These modifiers are the ones attached to Pantheon mods, and hence have quite large visual effects that consist of entire bosses appearing to attack you. When we added these, we knew that we had to preload the appropriate effect on the client so that the user was not killed before it could be displayed on their screen.

When the instance server instructs a game client to preload an effect, it's possible for illegal third-party software to see that request and to tell the user about it. This means that if you were to enter an instance where the game was requested to preload a Solaris-touched mod, you'd know. This would let users farm these mods efficiently.

However, when we implemented this system, we thought of this and set it up so that it always preloads a random Pantheon mod, regardless of whether a monster actually has that mod in the area. This means that you can't use the preload request as a way of seeing whether you're going to encounter that monster in the map. It just means that if you encounter a Pantheon mod, it'll be that one.

Yesterday, the community started discussing this technique and we investigated. We determined:

a) What players were actually doing was using the preload request to rule out the presence of other modifiers. For example, if the client is asked to preload the Brine King-touched mod, and the player doesn't care about that mod, then they know the instance cannot have any other Pantheon mod present and they could just skip that map in their hunt for better mods.

b) The mitigation we have already in place functions correctly and players cannot tell whether the indicated mod is actually present or not. This means they'd have to waste a lot of time hunting for false positives.

c) In addition, this process would be very wasteful, costing them a lot of maps and also whatever juicing resources they wanted to speculatively put into those maps before they even knew if they were going to encounter the relevant mod.

The community were concerned that the technique would allow nefarious players to quickly open a lot of maps and be able to see exactly which ones had a specific mod. The reality is that the overall efficiency benefits of the technique were limited and offset against the potentially high resource cost and high risk of being banned for it.

Early today, we deployed a hotfix that completely removes this problem.

We haven't seen widespread abuse of this technique, despite the exposure it got, probably because it offered only marginal benefit due to the mitigations we had in place and would actually cost a lot of currency to do with levels of juice that would make it worthwhile. Of course, we'll ban anyone we do find who has done it.

We're planning to deploy a patch in the next couple of workdays which introduces the improvements to Archnemesis mods that we outlined yesterday. We are also aware of further feedback about the Lake of Kalandra expansion that hasn't been covered in our communications yet and will resume our discussions of this when we get the team back in the studio after the weekend.