Hello, there is a problem with the Remote Event Security that I am making for my game.
Here is the code I used a pcall in it too and it still does not work!
game.ReplicatedStorage.GiveMoney.OnServerEvent:Connect(function(Key,Money)
if Key == "mrmeme! i have a problem with my anti exploit and i have to fix it LOL" then
game.Players.LocalPlayer.leaderstats.Points.Value = game.Players.LocalPlayer.leaderstats.Points.Value + 1
else
print('Key Invalid\nExploiter Added!')
end
end)
Stuff
Proof:
This is not my Real RemoteEventKey
So is there a way to fix this if need DM Me it if need.
Also, this is a bad system. The player should never be able to ‘request’ money unless it’s validated on the server.
Instead the player should be sending transaction requests, since the server can have complete control over what happens.
An example of a bad system would be like this:
-- player clicks a button to buy something
-- local script checks if player has enough money
-- local script fires an event to the server saying "give me this item and subtract this much money"
This can be tampered with in a few ways: The player can modify their money value on their client, since the client is checking if they have enough money, or they could spoof requests to the server to give them whatever items and money they want. A key system is useless since the key would have to be stored on the client’s side anyway for legitimate requests.
A more secure system would work like this:
-- player clicks a button to buy something
-- local script fires an event to the server saying "i want to buy this item"
-- server checks if player has enough money, gives them the item, and subtracts the price from their money.
The reason your script isn’t working is because the first parameter of the OnServerEvent callback is the player who called the event, so your callback parameters should be (player, key, money) instead of (key, money).
Also, you should never have a designated remote to change player’s stats as it’s highly exploitable and your key being a constant string won’t stop anyone from hooking onto a remotecall to figure that out.
To actually make a secure remote to edit player stats, you’d want to have separate remotes (or functions & denote it via an argument) ones for the instances in which that they’d be edited i.e when a player buys something, the player would fire a RemoteEvent with what they wanted to buy and on the server you’d check to see if they have enough money and if they do, you can edit their money and give them the tool but if they don’t, you can also check for that on the client and then you’d know that they’d be exploiting because the only time the remote can be fired on the client is when that if-statement is valid so they had to have called it from an external environment.
For more information regarding how exploits work, you should check out this thread; I think it’d help you greatly: Exploiting Explained
Yes, it is easy. Exploiters can see all messages they are sending to the server and send the exact same message themself. They can even read any local script’s entire code.
The implementation of RemoteEvent.OnServerEvent is done incorrectly here- the first argument is passed as the player who fired the remote, so Key would never equal to “mrmeme…” and "Key Invalid\nExploiter Added!" would always print.
You can’t prevent it. Even if you obfuscate everything someone will always have more free time than you to try to decipher it. Do server sanity checks always.
You should not use this “Key” for verifying the client’s events. You should do checks on the server instead that make sure the client is allowed to send these messages rather than trusting them every time they send you a key. Anyone can easily get that key and it’s effectively useless.
Although insecure, this probably will fix your code.
game.ReplicatedStorage.GiveMoney.OnServerEvent:Connect(function(plr,Key,Money)
if Key == "mrmeme! i have a problem with my anti exploit and i have to fix it LOL" then
plr.leaderstats.Points.Value = game.Players.LocalPlayer.leaderstats.Points.Value + 1
else
print('Key Invalid\nExploiter Added!')
end
end)
The Player that fired the event will always be the first parameter, so you must use that to do anything to them.