Do I need to make an anti-cheat system for the leaderstats?

Help and Feedback Scripting Support
#1

So I have a leaderstats. Do I need to make an anti-cheat system for it to prevent exploiters from setting their leaderstats values to ridiculous numbers?

I once heard that any changes they make to their values won’t replicate to the server. It will only show on their device, but I’m not completely sure if this is true.

Should I just make an anti-cheat for it?

Thanks!

#2

You still should.

It’s true that changes made in the client won’t replicate to the server, but exploiters can use an insecure remote event to commit their changes into the server, which will get replicated.

Secure your remote events or whatever logic you have that is adding onto your players’ stats in the leaderboards.

A good read to get started:

#3

It’s 100% true. This would only be false if your game already has lacking security

#4

But how can they commit their changes into the server if they cannot create nor edit ServerScripts?

They need to catch the RemoteEvent on the Server

#5

What do you mean ‘lacking security’? I don’t have any kind of anti-cheats nor security, I’m just going by default.

Does it not replicate to the server by default?

#6

It doesn’t replicate at all. What I meant by “lacking” was described by @Solar_Eos (allowing exploiters to send any argument through a remote without proper server security checks)

#7

This is true no matter how you spin it, because of FE - which is why attacks have stopped being focused around client manipulation, and more so on remote manipulation.

Catching a remote is really easy to do, and if you don’t validate an incoming remote from the client, this is where security falls apart.

In your case, the advice is not to trust what the client sends you.

As an example, if you are planning to have a shop in your game, you:

  • Don’t let the client tell the server how much cash they have. Exploiters can forge remote values.
  • Do check that the client has enough cash to make the purchase on server-side. The server should have the final say.

Another example is if you plan to have coins spawn in the world that can be picked up:

  • Don’t let a client use a remote to tell the server it has picked up a coin. Exploiters can spam fire that remote even if they haven’t really walked over a coin.
  • Do check on the server that a player has actually walked over a coin before adding to their coins.

This same logic applies elsewhere - don’t trust the client’s input or values, let the server decide for itself.

#8

Here’s my case.

I just have a LocalScript in which I’m doing UI stuff, but I also have a MouseClick event on it. When the MouseClick fires, I’ll be firing a remote event to the server to UPDATE the leaderstats values on the server, not the client.

Is this exploitable?

Sorry but I’m a little dumb when it comes to server and client

#9

It’s not, as long as you’re not sending anything over through the remote.

You have the right idea - let the server figure out what values to use for the updates, don’t let the client tell the server what.

#10

Thanks for your help! I appreciate it!

#11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.