Help stopping exploiters using remote events

ItzBloxyDev · August 5, 2022, 11:41pm

I have recently found out that people are exploiting in my game: (6) [MINIGAMES!] Limited Life! - Roblox

I have found out that they are most likely using this remote event which gives the player time (currency)

remote2.OnServerEvent:Connect(function(plr,Reward)
	local info = plr:WaitForChild("Info")
	local seconds = plr:WaitForChild("leaderstats"):WaitForChild("Seconds")
	
	if mps:UserOwnsGamePassAsync(plr.UserId,64753824)then
		info:WaitForChild("Earned").Value += Reward*1.5
		seconds.Value += Reward*1.5
	else
		info:WaitForChild("Earned").Value += Reward
		seconds.Value += Reward*1.5
	end
	
	info:WaitForChild("Tasks").Value += 1

end)

Is there anyway I can stop exploiters from firing this?

HugeCoolboy2007 · August 5, 2022, 11:45pm

You’re allowing the client to the tell the server what should be given to the player, that has to be done server-sided

ItzBloxyDev · August 5, 2022, 11:48pm

I don’t understand? That script is server-sided and I need it to be fired from the client or else it wont work since its UI

HugeCoolboy2007 · August 5, 2022, 11:50pm

What does the UI contain? Exploiters are just doing this:

RemoteEvent:FireServer(100000)

The script is server-sided, but the information is coming from the client, which can be manipulated

Here’s an example:

A shop customer telling the owner how much something is, then paying at that price

IAmBanFor_Devforum · August 5, 2022, 11:58pm

Try making sure the script that is firing the remote event is allowed.

ItzBloxyDev · August 5, 2022, 11:58pm

They have to do a task and then it fires to the server. I believe I came up with a solution.
Would this work:

When remote is fired where it should be a variable in the client script is changed.
Server fires a remote to client to check if the variable is true
If it isn’t the remote is fired but the reward is now negative so it takes it away

HugeCoolboy2007 · August 6, 2022, 12:04am

That unfortunately wouldn’t work because that would rely on the client being truthful. How is the reward calculated on the client, it could possibly be moved to the server

TimeVector · August 6, 2022, 12:08am

You have to implement sanity checks on the server in order to properly secure your remotes. The rule of thumb is to never trust the client - always assume everything they send could be untruthful.

A good example is this: Say you have a gun that sends a remote every second the mouse is held down to make the server shoot a bullet. An exploiter could bypass the rate of fire of the gun and make it shoot extremely fast.

So on the server script, you implement a variable that keeps track of the last time someone shot, and if the next time they shoot is before the cooldown time, then you know something’s fishy with that particular player. You could then prevent the bullet from being fired, you could kick/ban the player, send him a mean message, etc.