"P2P & bad AntiCheat?": Splatoon 2's horrible security

1. PARTS OF THIS PASTEBIN MAY BE WRONG, SO PLEASE READ THE REDDIT COMMENTS OR HOWEVER ELSE YOU MANAGED TO ACCESS THIS PASTEBIN FOR CORRECTIONS FROM MORE EXPERIENCED MODDERS
2.  
3. So recently, there was a random person who went by different names. Most know him as “God”. He went onto multiple X Rank battles and caused all sorts of chaos, including flying and spamming bombs. Why was it possible? What has Nintendo done about the issue? Most importantly, why did “God” go and hack? That’s what this document aims to answer.
4.  
5. As many people know, Splatoon 2 is a P2P game. There are no dedicated servers. All of the players in the match connect directly to each other. The only Nintendo server that the game contacts are the authentication and matchmaking servers (There’s also the SplatNet 2 stuff, but I won’t get into that right now.) . All validation is either on the host or the consoles. This is cost-effective for Nintendo, but also causes many connection issues (anyone who’s played the game for more than a week can tell you about it). However, there are way more problems than just connection problems. Anyone can go into a disassembler and pick apart what gets validated. Not like that really matters, because the other players barely do any validation (The fly hack was possible because the clients don’t care about movement validation at all). If a hacker gets host, they can pull off crazier stuff like forcing maps and modes onto entire lobbies. By the way, done right, this can get you flagged and banned for just joining a match with a hacker as the host. All of this and more can mostly be solved with dedicated servers. Dedicated servers have the added bonus of being a “black box” to users, as they can’t check what code is being run on Nintendo’s side.
6.  
7. SplatNet 2 will happily take almost any information you give it. That’s how the 5000 X Power hack was done. Who cares if the some user manages to get thousands of X Power in a single match? Apparently, not Nintendo. If that wasn’t bad enough, the most likely reason why cloud saves aren’t possible is even worse. Instead of storing everything on the server (cough SplatNet 2 cough), almost all of your player information is stored on the save file! Inventory, rank, level, everything. Even your X Power. Cloud saves would allow people to just restore their X Power and other stuff in a single click. If the player data was stored on the server, there would be nothing to lose in the event of lost save data. There would also be the bonus of people not being able to edit their stats illegitimately.
8.  
9. Splatoon 1 didn’t have very good security either. It was mostly the same story. P2P, very little client validation. They had a system to hash files from the game and send it to the server. Eventually, that got bypassed. They didn’t exactly learn their lesson for Splatoon 2. But, that’s far in the past. You’re probably thinking, “Nintendo’s definitely improved now, right?”. And yeah, they have improved. Update 3.1.0 added work in progress hash checks to certain RomFS files (Sound familiar?). It wasn’t put into use until 3.2.0 because there were a couple of bugs (typos and stuff that would have flagged everyone). That actually worked to ban the more inexperienced hackers who only edited the RomFS files. There was still the lack of validation from the other players in a lobby, though. 3.2.0 removed “symbols”, which made it a lot harder to reverse engineer and mod Splatoon 2 due to the lack of function names. Finally, 4.0.0 added obfuscation to the save file encryption and decryption code. That’s great and all, but it can be bypassed and it isn’t enough for the amount of access we have to the Switch. A person named OatmealDome looked into the RomFS hashing anticheat that was added to 3.1.0 and reported the various shortcomings to Nintendo. Their answer? “We’re working on it.”. Did anything change about it? Nope! (source: https://twitter.com/OatmealDome/status/1041846175899545600) It looks like Nintendo is being a bit lazy on the issue. That brings us to the next section.
10.  
11. A single person telling Nintendo about their anticheat problems doesn’t seem like enough for them to care. People who hack get banned, but nothing else is done about it. They don’t seem to actively try and patch exploits (with the notable exception of 3.1.0, but it didn’t do much). The only way for action to be taken is for enough people to complain. That’s why one of the biggest incidents with a hacker happened. If you’re not caught up on what happened, a single person went onto a bunch of X Rank matches and caused chaos by flying around the map and spamming bombs. It’s also the same person that spelled out a message on the leaderboards around the same time (NOT TALKING ABOUT THE “PLEASE ADD ANTI CHEAT” GUY!!!!). If a single person can cause this much trouble, there’s clearly something wrong with the security and Nintendo needs to fix it. That was the exact motivation of the “God” hacker. The leaderboard message could’ve been enough, but not a lot of people would have agreed or complained because nobody’s seen it as a large issue yet. Causing chaos in matches would cause more people to complain to Nintendo about their bad in-game security. It also worked to gain more publicity due to the amount of Twitter clips and even appearing on some livestreams. The more people who see what’s possible, the greater the pressure on Nintendo to fix it. Also, for the record, nobody lost or gained X Power from matches with “God” in them. An X Power of 5000 is way too high for anyone to gain or lose points since it’s the maximum and nobody is close to it yet. Another thing worth mentioning is that none of “God”’s hacks were through RomFS. There was no anticheat bypass needed because his hacks were out of the scope of it. The manual bans aren’t good either, because it took 2 DAYS of active hacking, without report blocking, for “God” to get banned. Imagine how it would be if hundreds of people joined in, too.
12.  
13. Oh yeah, did I mention we’re going to be paying for this soon? Hacks are already here, so it’s only a matter of time before Splatoon 2 looks a lot like its predecessor.
14.  
15. EDIT 1 9/20/2018: Wow, OatmealDome tweeted this out. Nice! I'm not breaking that anonymity any time soon, so I'll answer any questions that come up here.
16.  
17. EDIT 2 9/20/2018: Or you can e-mail me at GodThrowaway@protonmail.com if you want to contact me directly.