So I have a leaderstats. Do I need to make an anti-cheat system for it to prevent exploiters from setting their leaderstats values to ridiculous numbers?
I once heard that any changes they make to their values won’t replicate to the server. It will only show on their device, but I’m not completely sure if this is true.
It’s true that changes made in the client won’t replicate to the server, but exploiters can use an insecure remote event to commit their changes into the server, which will get replicated.
Secure your remote events or whatever logic you have that is adding onto your players’ stats in the leaderboards.
It doesn’t replicate at all. What I meant by “lacking” was described by @Solar_Eos (allowing exploiters to send any argument through a remote without proper server security checks)
This is true no matter how you spin it, because of FE - which is why attacks have stopped being focused around client manipulation, and more so on remote manipulation.
Catching a remote is really easy to do, and if you don’t validate an incoming remote from the client, this is where security falls apart.
In your case, the advice is not to trust what the client sends you.
As an example, if you are planning to have a shop in your game, you:
Don’t let the client tell the server how much cash they have. Exploiters can forge remote values.
Do check that the client has enough cash to make the purchase on server-side. The server should have the final say.
Another example is if you plan to have coins spawn in the world that can be picked up:
Don’t let a client use a remote to tell the server it has picked up a coin. Exploiters can spam fire that remote even if they haven’t really walked over a coin.
Do check on the server that a player has actually walked over a coin before adding to their coins.
This same logic applies elsewhere - don’t trust the client’s input or values, let the server decide for itself.
I just have a LocalScript in which I’m doing UI stuff, but I also have a MouseClick event on it. When the MouseClick fires, I’ll be firing a remote event to the server to UPDATE the leaderstats values on the server, not the client.
Is this exploitable?
Sorry but I’m a little dumb when it comes to server and client