Cheat-proof Speedrun and timer

Famzies · July 12, 2020, 10:49am

I’m making a speedrun-based obby, which has a timer. This timer will be connected to a server-side global leaderboard.

At the moment, the timer counter is in a local script, and I’m pretty sure people would be able to easely exploit that.

Local Sript:

local text = script.Parent

local milli = 0
local sec = 0
local min = 0
local bool = script.Parent.bool

bool.Changed:Connect(function()
	while script.Parent.bool.Value do
		
		wait(.1)
		
		milli = milli + 1
		if milli > 9 then
			milli = 0
			sec = sec + 1
		end
		
		if sec > 59 then
			sec = 0
			min = min + 1
		end
		
		if min < 1 then
			text.Text = sec .. ":" .. milli
		elseif sec < 10 then
			text.Text = min.. ":0" .. sec .. ":" .. milli
		else
			text.Text = min.. ":" .. sec .. ":" .. milli
		end
	
	end
end)


workspace.Start.TouchEnded:Connect(function()
	bool.Value = true
end)

workspace.Finish.Touched:Connect(function()
	bool.Value = false
    -- Send information to Data Store for Leaderboard
end)

Simplified:
Touch Start Part > Bool = true > Timer Starts to
Touch End Part > Bool = false > Timer Stops > Send info to server

Questions:

1. How would I make a timer that is server-side, which would update the local player’s GUI?
2. Are there any tools / scripts that detects if a player is hacking ie. Flying - and kick them?
3. Am I being paranoid? is this local script actually easely exploitable?

Thanks in advance

No need to write whole scripts, General pointers will be helpful enough

CasuallyCritical · July 12, 2020, 10:51am

You can make a NumberValue object that copies what the current time is on the Timer as the value, then the LocalPlayer Gui can just copy that value. Since it seems the NumberValue and GUI would just be for show, you don’t have to worry about someone messing with those numbers constantly.

rogchamp · July 12, 2020, 2:03pm

You shouldn’t handle the GUI on the server. Just use RemoteEvents to tell the server when you started and ended the timer and work out whether that’s valid from there.

There’s not really a one-size-fits-all solution, as different games might have different movement or interactions that would be picked up as false positives or whatever.

No, you’re not being paranoid; it is easily exploitable. Exploiters can modify anything stored within a LocalScript and can manually fire RemoteEvents.

flamenco_687 · July 12, 2020, 2:11pm

Depending on how you want to do the timer (like, using a part or a button), you could actually handle everything in the server (event the start and end moments) and just send the time to the player trough a RemoteEvent.

For more info, you can check the Remote Functions and Events page and maybe learn something new about them or about security in games.

There are some tools around made by the community that are designed for detecting fly and other hacks, but like @rogchamp, they won’t work the same for every game. You could check these cool posts where you can find open source anti exploits and maybe you can use them for your game or learn something about them:

If you want to learn more about security in Roblox Games, check these posts:

https://developer.roblox.com/en-us/articles/Roblox-Client-Server-Model
https://developer.roblox.com/en-us/articles/Network-Ownership