I’m using a module script in replicated storage that is accessible on both the client and by the server, the client uses this module to access prices and such to reflect on the gui and the server uses it to verify the price and such. However, I’m curious on whether or not exploiters can change stuff in this module script and the server would verify with those changed prices rather than the actual one? If so, what’s another way to store important values that I want to reflect on the client’s gui but I want the server to verify with it’s own copy.

Personally, I would have a folder in workspace that has all the values you want to store (these would be represented inside the folder with string value, number value, and boolean value instances). Clients can access the data and see what the values are, but any exploited changes wouldn’t replicate to the server.

Changes made on the client do not replicate to the server, with a few exceptions for things like PV (Position/Velocity) properties.

That seems pretty inefficient and would probably be a nightmare to manage.

Exploiters cannot make direct changes to scripts. And if they could, there would be way bigger problems than just changed prices.

so it’s fine to put module scripts in replicated storage that the server uses as well?

If an exploiter is able to require your module and make any changes to the values stored inside it, it should only effect behavior on that client. As long as you are verifying the values through a server-sided check, you will be fine-- just make sure you aren’t trusting the client with important things like the actual transactions.

The short answer to the following question:

Can exploiters change module scripts on the client and affect the server?

No.

…

Any data stored in the module script is NOT replicated over from server to client and the other way around, so the client is not able to read anything the server edits on said module script.