I’m a bit confused as to how I can make it so there is no showing remote events on the client allowing anyone to give themselves money. I’ve watched many leaderstats tutorials, and I plan on using ProfileService to handle my data so long as I can do it.
However I can’t tell if in these tutorials, they would be making me vulnerable. Could you tell me how a non-vulnerable leaderstats coin script would work in theory? I’d appreciate it a ton!
This way I know if what I’m learning, is actually what I want to execute.
The client shouldn’t tell the server when a player should get money. All game logic like that should be handled exclusively on the server (Also, you cannot hide remotes or anything on the client)
I’m not 100% sure but I think the client is unable to view serverstorage and serverscript service, so if you code it at the start like that, you could hide remote events there. I am not 100% sure though, do research
That’s correct, ServerScriptService and ServerStorage do not replicate to the client. But it wouldn’t make sense to place Remotes there since the point of RemoteEvents/Functions is to allow the client and server to communicate with each other. So they would be have to be placed somewhere else like ReplicatedStorage
right, but also the client can’t give themselves money in the first place if all purchases (Like if you buy a gun) are using a server script or handled using a server script. (Because the client and servers values would be different, the server would only see the server’s value, which CAN’T be changed.) So I’m not sure what all this is about.
so as Omega mentioned something like collecting a coin shouldn’t be handled locally, try making it server sided. However, some extra checks could help, like checking the Magnitude (distance between coin and player on server side) so if player fires a remote event saying that they grabbed a specific coin you are able to check if they are actually even close to that coin, although It is still possible to exploit but the main point is that you can run some extra checks on the server side.
whatever you do there will always be a way for an exploiter to use that remote event to give themselves cash, even if you destroy the remote.
i suggest never to let the client change cash through remotes. if you are trying to make a shop just use a remote event when pressing the buy button with a string for the name of the item you want to buy and the server will get how much it cost and giving it