im truly stumped for the past couple of days regarding the security of my game, and the fact that exploiters can fire events
lets say i want to make a system where if the player clicks a gui button a remote event will fire and it will give them 1000$ in the server, well i know that exploiters can show/hide gui elements so i made the gui element in ServerStorage and when the time comes i let a server script clone it and puts it in the player’s gui position so far so good right?
well sadly not because the problem here is that the exploiter doesn’t even need the gui element because he can fire the event that gives the 1000$ in the server when they shouldn’t get it
so what is the solution for this problem?
(this is system is just a broad example and im not going to actually make it in my game)
exploiters can indeed fire remote events locally, as they are stored in the replicated storage which are replicated between each user that joins the game and if the player can find a way to run their own code locally, it means they can call the remote event without the need of the GUI.
There are no ways that will 100% ensure the remote event can be called, but there are ways to make it a lot harder. Like maybe having a way for the server to check if the player is allowed to press the button, or fire the remote event, and if they can then the function calls properly.
I found this forum post that may help you a bit
Best of luck in fixing this problem, hopefully this helps
so from what i understood, you really cant protect remote events, you just need to check in the server if the player can actually fire the event with if statements,
its a really bad system that roblox studio developers have implimented, they should really rework it but anyways
for my gui example i’d say maybe put a bool value inside the player in the server’s side that turns into true when the server script transfer the ServerStorage gui to the player’s gui and turns into false when the gui gets destroyed, and then when the event is fired you check of that bool value inside the player and if its true you give the player the 1000$
and that solution will probably work on 90% of the time
Yeah, that should work for the most part, obviously if there is people bypassing that system more ways to fix it would be necessary. Maybe having a system on the server that checks how often the remote event is fired by players, and if it is too often, remove the player from the game, or have another way of punishing the player for hacking in the game.