Hello,
There has been an exploiter in my game who is giving himself infinite money and donating it to players in the server. Is there a way to prevent this? My Game
5 Likes
There’s most likley a RemoteEvent he is firing that you have implemented in your game which gives a user the in game currency. You might want to secure that up or rethink of another way on implementing it.
Just make sure you do not handle any currency on the client as the exploiter has access to everything on the client.
2 Likes
How are you maintaining security? Are you relying on the Client for your scripting? How is the money being rewarded to the player?
Edit: basically what @uhi_o points out.
1 Like
Yeah it’s a remote event. Whats an alternative to this?
What is the user doing on the client which would give them in game currency?
I have no idea. I assume he is abusing a remote event which allows him to change his money, then hes donating it through the GUI
No, I meant what a normal player would do if they were playing to gain currency.
Donating? So you have a remote that allows players to donate to another?
And what remote event would that be and what does it do?
Oh, well you can mine, chop trees and stuff like that, and it gives you a certain amount of money.
1 Like
Yeah it’s a sendmoney event
What @sjr04 pointed out is a valid point which is most likley your issue. You might want to add more checks on the server before giving the user the currency while donating.
Yes. Such as:
- making sure the number isn’t negative (this is EXTREMELY DANGEROUS: players could steal other player’s money!
- making sure the player isn’t donating to himself
1 Like
You can’t donate to yourself, only to other players.
Im saying an exploiter could have done SendMoney:FireServer(game.Players.LocalPlayer.Name) or something like that to donate to themselves
You can prevent exploits like this by applying Remote Event Security into your game design.
The best way to do this is to assume that every player could/would fire every remote event and any data sent in that remote event could be completely false. I.E Never trust the data you get from a remote event.
If a remote event in some way changes data on the server (I.e one that rewards currency if a player clicks on an activity) then you must confirm that the data being sent is legitimate on the server.
This is one of the basic things to check although more complex problems may be the cause. For example, if a player donates 1000 gold to another player and then rapidly joins a new server before the datastore saves the 1000 coin loss, he would join loading his old data where he still had 1000 coins, while the other player he traded the 1000 coins to keeps them, thus creating 1000 coins out of thin air.
These are just two examples but to TL;DR it a lot of factors could cause this but it’s best to start with remote event connections on the server and proper datastore session locking
1 Like
Like @Pavalineox said, you’ll want to have Remote Event Security in place. The rule of thumb is to never trust the client.
Make sure that you don’t have your system be something like this:
- Client hits a tree
- Client sends a Remote Event to the server, telling the server that it they’ve hit a tree
- Server recieves the Remote Event and stores the updated money for that player (however you do that)
I’m not sure if this is completely safe, but a better idea of a system to have for this is somethign along these lines - compared to the above, this is safer. Like this:
- Client hits a tree
- Server detects which Client hit the tree
- Server sends the money to a server-sided storage of the money for that player
Whatever you do, do not store the players’ money in the client. Then they can easily change their money. Anything that interacts, or is stored on the client is a risk. Make sure to look for, and mitigate those risks thoroughly, especially for a currency system.
5 Likes
The money is stored in a server script.
Let’s say a player hits a tree. How are you telling the server to store the values? I’m not sure if you want to release that info publicly here on the forum, so I won’t argue with you if don’t want to say.
You said earlier that you use Remote Events. Is the way you’re doing it more like the first example I gave above, or the second?
EDIT: If you need to send information to a server script, but not sure how to do this without Remote Events, you can use Bindable Events/Functions. It’s just Remote Events but only for Server-To-Server or Client-To-Client. So you could move the information around in the server using that, and I believe it’s safer than Remote Events, as it’s free from exposure to the clients.
Theres a module script in StarterCharacterScripts that fires this once they chop down a tree
I assume they abused this and gave themselves infinite money.
Yes, they could’ve spammed that to get tons of money, or done something similar.