Deciding between Performance and Security for a swimming script. (Anti - Exploit)

Alright, so basically I’m trying to make my game secure like most people, I was going to start on a mobility system and well I do have trouble deciding whether I should do the checks on the server or client because well they can be replicated on the client.

So underwater swimming, I do have to constantly check if the player is at sea level or not using a loop, then based on the loop i would then determine where the player is swimming to and etc, this type of loop is extremely expensive because it runs large amount of code, doing this on the client would benefit me in many ways such as easier way to detect where the client is trying to swim and etc, on the other hand, people can exploit this by rewriting the script to swim in the air (changing the sea level value). Before I do start this system, I am wondering if I should do this on the client or server because my game is heavily content based and I would like to keep everything in 1 game world rather then teleportation so I’m trying to be as resource friendly as possible.

Another thing is regarding the client anti-exploit, now obviously the client is capable of deleting the anti-exploit script on the client but I was wondering if I could fire a remote function every so often to check if the script is there and if not kick the player.

I have other things such as dashing, double jump and wall jumping, currently I only check on the client and apply the body velocity on the client because it’s simple, my current solution is to use a remote function to check if you are able to dash, remove stamina but still create the instance of the body velocity on the client to avoid creating instances on the server.

Anyway, I’m just curious if there are better ways to do this since I’m trying to keep things simple and efficient.

Thanks for any feedback / support.

1 Like

Making decisions between effiency and security is always hard.

For the first problem, I recommend checking things in the server rather than the client. It’s good to descide what’s more important in any case, efficieny or security. In this case, it seems that this is a very vulnerable part of the game, that’s why I chose server, because even if this part is really tanky and might produce lag, it can be easily reduced by lowering how often the loop loops for example (once every second seems good, maybe even way higher) and if the server is not already loaded with large amounts of tasks, one tanky task shouldn’t be a problem. You might also be able to split the work between the client AND the server, by making the checks on the server, and creating the object and everything on the client.

For the second problem, that seems like a very smart idea, and would work in general, but there will be cases where it will fail, for example if the exploiter created another script with the same name as the exploit script, and he removed the anti-exploit script, unless the system is smart enough, this action will not be detected, and there are many other situations that can happen that might ruin this system, but it’s not a bad idea to implement it anyways, as a minor way of defending the game.

For the third problem, I prioritize doing stuff in the server rather then client yet again just like the first problem, the reason being this also seems like a very important part, and also doesn’t seem like much work for the server. Doing checks on the server is WAY more common than doing checks on the client, you wanna do stuff with the client mostly when it’s effect-related or something that goes along rendering.

Hope I helped!


If this is your only real major concern, just make it in the client. Someone exploiting won’t bother to mess with your swim system to swim in air and would instead just make their own fly-style script.

This would be easily emulated from an exploit, but by all means go wild. Just don’t depend on it as security.

They can also already do this on their own client, whether or not your system handles the check part on the server.

The simple answer is just make sure people aren’t going to fast in any direction or too far off the ground for too long and it should cover most cases that would otherwise take too long to make weird checks for.

1 Like