A problem with Remote Event Security

Hello, there is a problem with the Remote Event Security that I am making for my game.

Here is the code
I used a pcall in it too and it still does not work!

game.ReplicatedStorage.GiveMoney.OnServerEvent:Connect(function(Key,Money)
	if Key == "mrmeme! i have a problem with my anti exploit and i have  to fix it LOL" then
		game.Players.LocalPlayer.leaderstats.Points.Value = game.Players.LocalPlayer.leaderstats.Points.Value + 1
	else
		print('Key Invalid\nExploiter Added!')
	end
end)
Stuff

Proof:

  • This is not my Real RemoteEventKey

So is there a way to fix this if need DM Me it if need.

Could you please type out the error code?

1 Like

I putted the right remote key but it says its wrong.

1 Like

The first parameter passed into OnServerEvent is the player instance who fired it.

It should be:

game.ReplicatedStorage.GiveMoney.OnServerEvent:Connect(function(Player, Key, Money)
2 Likes

Oh sorry. I have read that wrong.

1 Like

Also, this is a bad system. The player should never be able to ‘request’ money unless it’s validated on the server.

Instead the player should be sending transaction requests, since the server can have complete control over what happens.

An example of a bad system would be like this:

-- player clicks a button to buy something
-- local script checks if player has enough money
-- local script fires an event to the server saying "give me this item and subtract this much money"

This can be tampered with in a few ways: The player can modify their money value on their client, since the client is checking if they have enough money, or they could spoof requests to the server to give them whatever items and money they want. A key system is useless since the key would have to be stored on the client’s side anyway for legitimate requests.

A more secure system would work like this:

-- player clicks a button to buy something
-- local script fires an event to the server saying "i want to buy this item"
-- server checks if player has enough money, gives them the item, and subtracts the price from their money.
2 Likes

I’m pretty sure you making a key to fire the server with is useless and a waste of time.

Correct me if I’m wrong but this is easily exploitable and you should be relying on good game design and making sanity checks on the server…

1 Like

Yes, the client has to send the key to the server which means exploiters can one way or another find out the key.

1 Like

No, it is not easy since the exploiters don’t know the key.

The reason your script isn’t working is because the first parameter of the OnServerEvent callback is the player who called the event, so your callback parameters should be (player, key, money) instead of (key, money).

Also, you should never have a designated remote to change player’s stats as it’s highly exploitable and your key being a constant string won’t stop anyone from hooking onto a remotecall to figure that out.

To actually make a secure remote to edit player stats, you’d want to have separate remotes (or functions & denote it via an argument) ones for the instances in which that they’d be edited i.e when a player buys something, the player would fire a RemoteEvent with what they wanted to buy and on the server you’d check to see if they have enough money and if they do, you can edit their money and give them the tool but if they don’t, you can also check for that on the client and then you’d know that they’d be exploiting because the only time the remote can be fired on the client is when that if-statement is valid so they had to have called it from an external environment.

For more information regarding how exploits work, you should check out this thread; I think it’d help you greatly: Exploiting Explained

3 Likes

Yes, it is easy. Exploiters can see all messages they are sending to the server and send the exact same message themself. They can even read any local script’s entire code.

A pcall doesn’t make anything magically work.

The implementation of RemoteEvent.OnServerEvent is done incorrectly here- the first argument is passed as the player who fired the remote, so Key would never equal to “mrmeme…” and "Key Invalid\nExploiter Added!" would always print.

See the above 2 replies.

1 Like

By logging remotes?
Well, I am working on something to prevent these remote logging.
[30characters that thing]

You can’t prevent it. Even if you obfuscate everything someone will always have more free time than you to try to decipher it. Do server sanity checks always.

1 Like

You should not use this “Key” for verifying the client’s events. You should do checks on the server instead that make sure the client is allowed to send these messages rather than trusting them every time they send you a key. Anyone can easily get that key and it’s effectively useless.

2 Likes

Further note:

game.Players.LocalPlayer

is only accessible in a LocalScript on the Client. Attempting to use it in a ServerScript will return nil.

As metryy mentioned, use the Player parameter of OnServerEvent to get the Player firing the event.

1 Like

Although insecure, this probably will fix your code.

game.ReplicatedStorage.GiveMoney.OnServerEvent:Connect(function(plr,Key,Money)
	if Key == "mrmeme! i have a problem with my anti exploit and i have  to fix it LOL" then
		plr.leaderstats.Points.Value = game.Players.LocalPlayer.leaderstats.Points.Value + 1
	else
		print('Key Invalid\nExploiter Added!')
	end
end)

The Player that fired the event will always be the first parameter, so you must use that to do anything to them.

1 Like

I said it was not the real remote key.

Also, I have a trick on my selves to provent the remote loggers