This was privately disclosed to Epic Games in 2023 and had a slight fix implemented shortly after.
This exploit was very simple with how it worked and triggered a mass chain of events after you trigger the exploit. In Fortnite for example, if your character walks over ice the server will acknowledge this and grant the player the ice UGameplayAbility and in Fortnites case the client usually should never tell the server directly when to activate an ability and what kind of ability however, I noticed that in Unreal Engine the server will accept whatever the client says it is standing on and the server will never bother to check this and will just grant the ability no matter what surface you are on, which meant I was able to stand on grass but all of a sudden gain the Ice sliding ability which I am not supposed to have.
To cause this without explaining how to directly do it, all that had to be done was to modify every UPhysicalMaterial’s SurfaceType field to have a different EPhysicalSurface.
This kind of exploit doesn’t seem like it would amass to much but in Fortnite they had things called augments which were basically perks your character could gain when certain events happened. For example there was one that slowly healed the player when they were covered in mud and this exploit could trigger that effect as you could set your current floor surfacetype to mud and it would grant you the mud gameplay ability. At the time of this exploit you were able to spoof these abilities: Ice (EPhysicalSurface::SurfaceType24), Mud (Gone as of 28.10), Lava (EPhysicalSurface::SurfaceType25) and Chrome (Let you merge through walls) (EPhysicalSurface::SurfaceType29), there were other surface types but most did not grant any abilities or change anything meaningful.
Due to all this I can safely say im the only person to ever get affected by lava on the spawn island.
Ice Ability#
EPhysicalSurface::SurfaceType24 Ice gameplay ability that the server has granted to the player.
Lava Ability#
EPhysicalSurface::SurfaceType25 Lava gameplay ability that the server has granted to the player.
