How are exploiters getting passed the sanitation checks on my RemoteEvent?

Help and Feedback Scripting Support
,
1

You can write your topic however you want, but you need to answer these questions:

  1. What do you want to achieve? I want to properly implement the checks so that I dont have to worry abt players getting inf coins.

  2. What is the issue? Exploiters have been giving themselves inf coins by somehow bypassing the serverside checks.

  3. What solutions have you tried so far? This is the serverside code that checks the amt and if it is correct or not:

Event.OnServerEvent:Connect(function(player : Player, amt)
	local profile = module.Profiles[player]
	if not profile then return end
	
	if not amt then 
		print("nil amt: " .. player.Name)
		return
	end
	
	if amt ~= amt then
		warn("nan amt: " .. player.Name)
		return
	end

	if type(amt) ~= "number" then
		warn("invalid type on amt: " .. player.Name)
		return
	end

	if amt < 1 or amt > 10 then -- not sure how exploiters are getting past this but they are
		warn("invalid amt: " .. player.Name)
		return
	end

	
	if (profile.Data.Coins + amt) - profile.Data.Coins > 10 then -- this might be redundant with the check above but i wanted to make sure
		print("amt is too large: " .. player.Name)
	end
	
	if tick() - playerTable[player.Name] > cooldownTime then -- cooldown / delay to prevent spamming (1.5s)
		playerTable[player.Name] = tick()
		
		profile.Data.Coins += amt
		player.leaderstats.Coins.Value = profile.Data.Coins
	else
		return
	end
end)
1 Like
2

Can i get more informations about it?

Not sure if that’s really required but it may help ?

Like are the exploiters or players supposed to access to that remote event.
And more informations about the “amt” value if possible ?

3

The remote event is fired when the player uses their tool (which gives them coins). The amt refers to the amount of coins being added to the players data. Though I don’t want exploiters accessing the event, its easy for them to use a remote spy and do what they want with it.

4

why are you even letting them choose the amount of coins? sounds like its setting yourself up for failure

3 Likes
5

Fair point. I’ll change it to a set amount.

6

interesting… Well instead, as others said you may just fire and fix the amount, so exploiters can’t do anything.

7

Forget what I said here

Can’t the client just fire it multiple times?

8

Try this:

--run on client
for i = 1, 1000 do
	--don't yield the code in this(no task wait, wait, etc)
	Event:FireServer(10)
end

and see if it gives the player more than 10 coins

1 Like
9

amnt can also be math.huge (aka 1/0)

if amnt == math.huge then

end

10

could they be spamming the remote? They could still be getting 10 coins per fire, just insanely quickly. You could add a debounce and discard any event which comes during that debounce time.

11 
amt = math.floor(amt) -- Ensure amt is an integer
amt = math.clamp(amt, 1, 10) -- Clamps amt between 1 and 10

as someone said, don’t know why u are giving ability to choose the amnt to give by clients

2 Likes
12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.