Can hackers fire remote functions

Can hacked clients fire remote functions in roblox?

If they can, How do you protect yourself from it?

Basically my remote function is client>server, But I’m worried hackers may be able to fire the remote events.

1 Like

Basically, yes. RemoteEvents are able to be fired by Exploiters to the server.

What you should do is add some sort of sanity check, which double-checks if the Player meets a specific condition. Let me give you an example:

Let’s say, you have a Shop, and you have a Sword on-sale for 100 coins. If a Player who has enough coins purchase the sword, the client checks if the Player has enough coins, and if they do, they fire the RemoteEvent to the server.

However, the Exploiter attempts to bypass this client check by firing the RemoteEvent on their side. What would you do to counter this? Well, you should verify from the server that the Player has enough coins! Therefore, when the server receives the RemoteEvent, the ServerScript handling the event will double-check whether the specified Player has enough coins. If they don’t, the Server will simply ignore the event!

This is pretty much what a sanity check is. A simple check on the server’s side can be something like:

MyRemote.OnServerEvent:Connect(plr, ...)
    if firstCondition or secondCondition and thirdCondition then
      -- code here.

If you need more examples, you can take a look at this DevForum topic. on sanity checks.

1 Like

I mean like can you fire remote functions from a hacked client, because I have a admin system that you can type the command in a text box, and it passes the command name to the server to check if its fake or real, The commands/Detection system is a remote function being fired, But i’m worried that exploiters can use the remote function to fire the admin as if they were an admin when they aren’t.

Absolutly yes!

They can simply Invoke RemoteFunction same as RemoteEvent


So do sanity checks (sanitaze data that client sent) still because client can send any data to any remote: with some limitations (it can’t send functions to remote or metatables that will be removed from table)

local Admins = {
     [1] = true
RemoteFunction.OnServerInvoke = function(Player) 
        if Admins[Player.UserId] then 


You can setup a table which lists all the Admin’s ID. When a RemoteEvent gets fired, you can just check for the Player’s UserId and see if it matches any of the IDs in the ID table.

What do you mean by “hacked client”? If you just meant the Exploiter’s client, then my previous reply shouldn’t differ.

Edit: Didn’t see that @q0wq posted before me, so that’s on me.

1 Like

can the Exploiter change the first arg of a remote function/event ?

the arg that tells you which player fired the event

Thanks! This is exactly what I needed, So thanks :smiley:

Well, yes, technically. There are some arguments that can’t be changed, like for example: if the script tries and get the “Player” argument from PlayerAdded(), it cannot be altered, since the Server does checks specifically for this.

Regardless, you should still conduct sanity checks on the receiving end - the server. It depends on what exactly you’re trying to send through RemoteEvents, that can be countered with checks.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.