Hello, I will soon add in my game time trial races, with a leaderboard of the top 10 best times. I would like that this rank can’t be exploited and modified by people, as was an old rank I made. All the script of the race is local and when the player finishes I fire the client to the server with his time (that i put in a value) and add him to the leaderboard (with data), how to make sure that players can’t exploit this time value? Thanks
If you are able to move this system onto the server then I would suggest doing so, if not try do some sanity checks on the server.
Can you clarify the sanity checks for me please ?
Actually I would like to understand what the exploiters can modify? Can they modify a value that is in replicated storage? Can they put a part that is in replicated storage in the workspace? Can they modify a part that is in the Workspace (cantouch, cancollide etc) or a Replicated Storage part ?
If it’s on the server, they can’t change it directly. If you’re telling the server how long you took to complete a race, you need to rewrite that system. Even then, the exploiter could just move to the finish line in an instant.
Check that numbers aren’t ridiculously out of proportion, such as making sure times aren’t less than a certain amount that would be difficult to attain. You could go more advanced and try to calculate how long it should have taken, but I think you should try to track it on the server. Maybe trust the client’s reported time if it’s within a certain margin of error from the server time if you’re worried about latency.
No they can’t do that they have to touch 21 precise emplacements to valid and finish the race. When they touch one emplacemement, the second one appear in the map and become touchable … until the last one which mean the end, it’s for create the path
Ah, I see. I’ve heard of other games doing this, but unfortunatly they can still be bypassed, unless they’re far apart and you have to wait to touch each one because it takes time to do it legit.
Yes I thought of checking if the time is under xx seconds then cancel the result, but I thought I might be able to find better than that because they can exploit that too by finding the exact time that allows them to appear in the ranking
Yes, but if they can tp on the parts one by one they would still finish first
Yes to all of these, but server-sided Scripts and other players won’t see any changes.
They can make a limited amount of changes to their character (partially to avoid input latency), but they can’t access, read, or modify anything that is in ServerStorage or ServerScriptService. They can do anything they want with a LocalScript, including creating new ones, modifying existing ones, or deleting them. They can also easily intercept internet traffic (from RemoteEvents) to change the data being sent over.
Awesome! So each time they hit one, use a RemoteEvent and tell the server they reached it and their current time. Then you can do some basic checks to filter out low values to prevent speed hacks or modified data.
You can switch it up occasionally to get rid of that, but also most hackers don’t consider it worth the time to get a ‘partial victory’ like that. I know back when I was hacking (more than 10 years ago, mind you), I would have just left a game if I wasn’t able to set my WalkSpeed as high as I’d have liked. Things can’t ever be perfect, there must be a balance between organization, performance, playability, and security.
Maybe there should be a system to where the user has to submit a video of them completing it, if their time is short. Or try to implement an anticheat.
Ok ok thanks for your advices and your time I’ll see what I can do and in the worst case i’ll remove the leaderboard, it was just a bonus to stimulate the players
Thank you for your advice ! I’m not sur about ask player to send me a video 
Something else I just thought of actually, is to record the player’s movements so you can watch them back on your own terms, to determine if they are legit. So, no video, just saving their position every frame in a datastore, if their time is short. If they took over like 5 seconds, I wouldn’t bother saving it to a datastore to have it checked.
Ohh but I just thought ! Players can’t even teleport! In fact they are in a suspension car, when they jump out of the car, the race stops automatically, if they try to teleport their character while they are inside the car then constraint vehicle + teleport = flying in the air
Exploiters can still fly or teleport in a vehicle. Here is footage of a wild skid using a script it found:
Just noticed hes on mobile, his ipad probably has a virus now.
I wouldn’t worry about it too much though, if this game is just for learning how to script, don’t bother too much with security. But, still learn what things are really bad practice because of how exploitable they are, like having the client handle their coins, level, rebirths, etc.
No my bad yes you true … me sad. And yea i’m slighty worry because I count on the next update to give a second life to my game (which has exceeded 40 million visits) so I try to do things right
Well what I will do is try to add a maximum of security here and there to detect cheaters. I will put the board, and if the top10 is composed of hackers then I will remove the board
So this is not for learning- it’s a real game? Didn’t know!
The reason of thought of this is because of the game Parkour. It has a setup to where you can watch other player’s complete time trials around the map. And you can also seem them fly around because they’re hacking.
Also, exploiters can fire touch interests, they don’t need to actually at the part to touch it. A simple magnitude check can patch that.