How can I Protect my economy and scripts from exploiters?

ZoomCode · May 6, 2021, 6:43pm

I’m currently beginning the process of programming for my upcoming game. This game will have a lot of features and different gameplay. With this being said I want to make sure my game is secure as well as the Inventory system of my game is secure. After doing research I haven’t been able to find a good or clear answer to this. I’m currently debating if I should be using Module Scripts, Normal Scripts or Local scripts for the majority of the game. My biggest concern is exploiters giving themselves money. I do plan on having an anticheat and I understand that I won’t be able to block anything however I want to make sure that the biggest things are blocked. Examples would be them messing with everyones money or giving themselves lots of money etc. So my final question is the following which of these things listed below should I avoid using as much as possible and where should I try to store most of my core scripts. If you guys could let me know the risk of using the following and where they should be stored that would be great.

Local Scripts
Normal Scripts
Module Scripts
Remote Events
Remote Functions
Datastores

On that note which of the following are the safest places to store scripts?

Workspace
Replicated Storage
StarterPlayerScripts
StarterCharacterScripts
ServerStorage
ServerScriptService

Thank you for taking the time to read this. Hopefully this is the right area.

justice_romqxn · May 6, 2021, 6:56pm

Depends, but overall, ServerScriptService.

There’s no one script to use, depending the on the purpose and the code inside that will decide which one to use.

ramdom_player201 · May 6, 2021, 7:06pm

Exploiters cannot access server scripts, only local scripts. Make sure to handle sensitive stuff on the server with server scripts (normal scripts) and do extra checks on functions from remote events because exploiters can falsely fire them too.

BananaSplittTV2 · May 6, 2021, 7:31pm

About giving the exploiter giving himself infinite money, let me give you a example of how these flaws happens:

That one innocent scripter goes there and build a “Money give system” here is their server code:

local Event = game:GetService("ReplicatedStorage").GiveMoney

Event.OnServerEvent:Connect(function(player,moneyquantity)
	local MoneyValue = player.leaderstats:FindFirstChild("MoneyValue")
	
	if MoneyValue then
		MoneyValue.Value = MoneyValue.Value+moneyquantity
	end
end)

Many expert scripters or even intermediate will probably already know what is going to happen. But let me continue…

Now here is the localscript that he also created:

local Event = game:GetService("ReplicatedStorage").GiveMoney

local SimulatorClickButton = script.Parent

SimulatorClickButton.Mouse1Click:Connect(function()

Event:FireServer(10)

end)

So what’s the flaw here?
The exploiter can simply make a localscript and code this:

local Event = game:GetService("ReplicatedStorage").GiveMoney

Event:FireServer(999999999999999999)

or this:

while wait() do

Event:FireServer(10)

end

And done the exploiter will have infinite money. But how did the exploiter discovered this? Simple. The exploiter saw the localscript with a Event called GiveMoney with the parameters of number (which may lead to him think that this parameter is the money quantity that the player will get), and he made a little code using this flaw to give himself infinite money.

How can you prevent this from happening?

Well. When making a system that requires communication between client to server, which may use Remote Events or Remote Functions, ONLY USE Parameters that are actually neccessary and there is no other method to achieve a certain information, besides Remote Events or Remote Functions.

So what the scripter could do instead? Well. Rewrite the server script:

local Event = game:GetService("ReplicatedStorage").GiveMoney
local moneyquantity = 10

Event.OnServerEvent:Connect(function(player) -- moneyquantity parameter REMOVED so client can't modify how much he will get of money
	local MoneyValue = player.leaderstats:FindFirstChild("MoneyValue")
	
	-- insert remote event cooldown code here, so it prevent the event from being fired too fast. im too lazy to make it rn, sorry.

	if MoneyValue then
		MoneyValue.Value = MoneyValue.Value+moneyquantity
	end
end)

So two things to be sure in this new server script.

Remove the moneyquantity parameter so the client can’t modify how much money he will get.
Make a remote event cooldown, so it doesn’t get fired abnormaly fast which may result on the same flaw.

Hope this helps you! If something is incorrect, please correct me and i will edit it.

Leborn_James12345 · May 6, 2021, 7:54pm

First off start off with Anti teleport and make sure is checking from the head and not the humanoidrootpart
because if they delete it = bypassed

And add some checks on the server for walk speed checks and fling checks etc is not that hard if you know what you’re doing good luck!

Inkthirsty · May 6, 2021, 7:59pm

From what I know exploiters can only execute scripts locally (unless there are backdoors that allow them to do it on the server). They can see your code anywhere besides ServerScriptService and ServerStorage.

Cryptic_spike · May 6, 2021, 8:04pm

From what I know, there’s an exploit known as remote spy which allows scumbags- eh, sorry, I mean exploiters to see remote events as they’re fired. (Basically allowing anybody with 10 minutes of scripting knowledge to abuse the game.)

The reason I’m saying this is because it shows that pretty much anybody with a virus (exploit) can exploit the game, meaning security should be more of a problem than it is.

DestroyerCam · May 6, 2021, 8:19pm

If you’re generating money try to keep it on the server as much as you can. You can display money locally, but you should store its actual value on the server. Just assume that exploiters can access anything that’s replicated onto their client. i,e: Values in Replicated Storage, Replicated First, Workspace, PlayerGui, etc…

The best place to store valuable scripts is in ServerStorage or ServerScriptStorage as, no matter how good an exploiter is they will never have access to the server.

PolyAxt · May 6, 2021, 8:48pm

All of these mentioned should be used
(excluding module scripts which are not needed but very handy though & easy to use).

Local scripts run on the client/player, they can make requests to the server using
remote events & functions.
A “normal script” or a server script can listen to that request and then you the developer need to verify that the request was legitimate which is how you can prevent people from giving themselves unlimited currency or items (server-sided checks).
I highly suggest you check out the Client-Server-Model to get a better understanding of this.

Oh and also, good luck on your scripting journey!

unix_system · May 6, 2021, 9:10pm

This isn’t entirely accurate - they can see that the files exist if they are outside of the ServerScriptService/ServerStorage areas however they can’t read the contents if they are Server Scripts.

Think about it like this - ServerScriptService/ServerStorage are like having permissions blocking viewing of the folder, and using Scripts is like having permissions blocking viewing of the file.

scripting1st · May 6, 2021, 9:12pm

I suggest placing your scripts/modulescripts in serverscriptstorage.

As for remote events, set a condition that will only give coins if x criteria is met.

Example:

--Script (Example by scripting1st)

local RemoteEvent
local conditionmet = false -- aka debounce

local function givecoins(player)
    -- Do something
end

RemoteEvent.OnServerEvent:Connect(function(player)

      if conditionmet then
            givecoins(player)

          conditionmet = false
          wait(3)
          conditionmet = true
      end
end)

As for dupes, I suggest you check out ProfileService. In a nutshell, this module uses session locking to “say no” to rejoin dupes.

Madonox · May 6, 2021, 9:25pm

My biggest concern is exploiters giving themselves money.

In order to prevent this I would recommend running checks on the server whenever a currency-based remote event or function is triggered. One example would be purchasing an in-game item with currency. You could verify the user has money on the server before giving the item, as this would be secure. I would also recommend checking this page out: Game Security (roblox.com)

DrWhoInTARDIS · May 7, 2021, 1:34am

in regards to remote events, I made a script that tracks all the remote events in the game to prevent spamming.

github.com

DrWhoInTARDIS/RobloxStuff/blob/b12d9e3218f3e180652ff782a950d15cb1fba32a/Remote Event Spam Protection.lua

--From yours truly: DrWhoInTARDIS
local events, playerTotalEvents = {} , {}
local TRACK_TIME_SEC = 10
local SINGLE_EVENT_LIMIT = 10
local TOTAL_EVENT_LIMIT = 30

function setupEvent(re :Instance|RemoteEvent)
    pcall(function()
        assert(re:IsA("RemoteEvent"))

        local e :Event = re.OnServerEvent
        events[e] = {}
        
        local counter = e:Connect(function(player)
            if events[e] ~= nil then
                events[e][player] = events[e][player] and events[e][player] + 1 or 1
                playerTotalEvents[player] = playerTotalEvents[player] and playerTotalEvents[player] +1 or 1

                --print(player,"Fired:",re:GetFullName(),"Single:",events[e][player],"Total:",playerTotalEvents[player])
                if events[e][player] > SINGLE_EVENT_LIMIT then

This file has been truncated. show original

ZoomCode · May 10, 2021, 3:32am

Thank you guys for all your replys. This has helped me get a better understanding of how these things work and should allow me to work out the flaws moving forwards.

VitalWinter · May 10, 2021, 3:33am

Never trust the client. It’s that easy.

Dev_Sie · May 12, 2021, 10:55pm

Someone already solved the problem but I am still reaching out, exploiters usually use DarkDed which is something that can check your games workspace scripts replicated storage etc. But what it can’t see is serverscriptservice and server storage. (Hope this helps and also for remoteevents you can make password system)

pilotjc · May 12, 2021, 11:02pm

Simple sanity checks for remote events negates the need for a password. (Pretty sure this is what you are talking about)

If you’re talking about server to server communication, you don’t need to run any events. Trying to fire remotes from the servers is not really the best idea.

Dev_Sie · May 12, 2021, 11:04pm

Wait so using serverscript to detect if remote event was fired isn’t a good thing to do?

pilotjc · May 13, 2021, 12:11am

This is not what I said, if I miscommunicated here’s what I mean;

You need the serverscripts to listen to remote events, this is the only way to do this (how remotes work).

Using remotes for communication from one serverscript to another is not efficient nor secure.