Over my many years of messing around on Fortnite and working on various different tools and things for many Epic Games related products. My long use of Unreal Engine was able to aid in me coming across one of my exploits that I reported to Epic Games for money using Hackerone.
Client-Authoritative UPhysicalMaterial SurfaceType
This exploit was very simple with how it worked and triggered a mass chain of events after you trigger the exploit. In Fortnite for example, if your character walks over ice the server will acknowledge this and grant the player the ice UGameplayAbility and in Fortnites case the client usually should never tell the server directly when to activate an ability and what kind of ability however, I noticed that in Unreal Engine the server will accept whatever the client says it is standing on and the server will never bother to check this and will just grant the ability no matter what surface I am on, which meant I was able to stand on grass but all of a sudden gain the Ice sliding ability which I am not supposed to have.
This kind of exploit doesn’t seem like it would amass to much but in Fortnite they had things called augments which were basically perks your character could gain when certain events happened. For example there was one that slowly healed the player when they were covered in mud and this exploit could trigger that effect as you could set your current floor surfacetype to mud and it would grant you the mud gameplay ability. At the time of this exploit you were able to spoof these abilities: Ice (EPhysicalSurface::SurfaceType24), Mud (Gone as of 28.10), Lava (EPhysicalSurface::SurfaceType25) and Chrome (Let you merge through walls) (EPhysicalSurface::SurfaceType29), there were other surface types but most did not grant any abilities or change anything meaningful. This exploit could be simply triggered by looping through every loaded UPhysicalMaterial and setting the SurfaceType to a different index.
Malicious ServerSpawnActorWithTransform Call
Doing this exploit was incredibly simple. It required you entering into an Unreal Editor For Fortnite Edit session and then placing down a wall using the creative phone, however this exploit required us hooking AFortCreativeMoveTool::ServerSpawnActorWithTransform(AActor* ActorToSpawn, FTransform TargetTransform, bool bAllowOverlap, bool bAllowGravity) and modifying the class it was spawning instead of the wall. When we modified this call we changed the AActor* ActorToSpawn parameter to GWorld->GameState which requested the server to spawn a Playspace_GameState_C at the time and as this is spawning a new child of the AGameStateBase actor it crashes the server completely and kicks every player back to the lobby as you are never supposed to have multiple GameStates in the world, the same situation goes for any child of AGameModeBase. I am fairly certain that if you find an AHud in the world and set it as the type to spawn it should crash the server too as the server has no player controller it will crash itself.