solved and removed so nobody can see the code, thanks : )
If you don’t get the rng from the server then it can be exploited. They can send a remote event with the argument rng to what they want.
yeah i could make it like so it generates 1 number server sided and 1 number client
One important rule when creating a game is to NEVER trust the client.
Looking at your game code, you are basically letting the client fire the badge awarding RemoteEvents, which is already a red flag as you are not supposed to let the client handle such functions simply because it allows exploiters to exploit that. You are even letting clients provide the RemoteEvent with their own numbers which is a big no-no.
A better approach at this is to make the RNG fully serversided. One way I would go about this is to make a RemoteEvent that takes no parameters which tells the server to generate random numbers and check the conditions for awarding badges. This way the client cannot manipulate/change values to their likings as the only thing they can do is just fire the RemoteEvent. If you want the RNG to loop just make a loop on the server that does that.
Another thing I could think of that exploiters could abuse is spamming the remotes, which you could fix by adding a cooldown for remotes on the server.
So my advice for game security: Don’t allow control of critical values to the client as exploiters will get their hands on it and abuse it right away. No client is trusted.
1 Like