How exploitable are remote functions

I heard that using remote functions on the server is bad and that it can allow hackers to break your scripts by modifying the client. This sounds quite bad as if there able to break server scripts like this they could ruin the experience for other players. I’m not quite sure what exploiters are capable of with remote functions that fire from the server or if what I said is even correct. I just want to know what exploiters are capable if remotes functions are invoked from the server and if there are ways to overcome it.

1 Like

short answer is very exploitable sadly. an exploit client can’t alter how they work or how the server interprets them, meaning the server cannot be broken if you can handle wrong information being passed through it. however, clients can fire remote events with whatever variables they wish. which is why people say not to trust the client, fact check everything the server receives from a client, etc.

1 Like

By very exploitable do you mean it can be game changing like breaking a script for all players or just something minor like adding extra values. I’m asking this cause I was planning to start using client hitboxes which I was planning to do by invoking a remote function on the server and returning what ever get’s hit. If you mean exploitable to the point where hackers can increase their hitbox size then that’s not a problem I could easily fix that with some sanity checks but if you mean an exploiter could break a script for all players just by invoking a remote function on the server that that’s a problem.

The level of exploitablity depends on how the developer is handling the RemoteFunctions/Events. If the handler is unsecure, then the Remote is very exploitable

-- Example of an unsecure Remote
-- Client
RemoteEvent:FireServer(1_000_000) -- a remote event that gives the client more money

-- Server
RemoteEvent.OnServerEvent:Connect(function(player, amount)
   -- no checks on what the value is/how much should actually be given
   -- granted, you shouldn't have a remote event that does this in the first place
   player.leaderstats.Money.Value = amount
end)
1 Like

like @HugeCoolboy2007 said, its very reliant on the game. if you have a remote to make it so that whatever value you pass through is added to your cash, then its game breaking for yourself. if you have a remote to instantly kill someone, then its game breaking for others. its all on the game itself.

This doesn’t really answer my question regarding a Remote Function being invoked from the server. I understand that firing a Remote Event in a way like that without any sanity checks is a bad thing, what I don’t understand is what a exploiter can specifically do when a Remote Function is being invoked from the server to return a value from the client. I heard they are able to break scripts for all players by modifying the code that the Remote Function runs through in the client which wouldn’t be a good thing. I’m not sure if this is true or false so I came here to understand what they are in control of doing in this scenario.

In the case of RemoteFunction:InvokeClient (which is something you should very rarely or never be doing), you would need to create an artificial timer for the method.

What I mean by this is, when you invoke the method (wrap it in a pcall since exploiters can make the method purposely error), make the server wait for a certain amount of seconds before it automatically disregards the request (exploiters can connect to the RemoteFunction and make it yield infinitely)

So to answer your question, RemoteFunction:InvokeClient is unsecure unless you have proper safe guards for it.


If you’re curious on how exploiters can manipulate the Server → Client RemoteFunction request, it’s the same way regular developers can do it

-- example
RemoteFunction.OnClientInvoke = function()
   while true do
     task.wait()
   end
end

-- method runs infinitely and thus the server hangs forever
2 Likes

You should never invoke the client, there’s almost never a need. If you really need to though, make sure to add a timeout on the server so the client can’t hold the event forever without responding.

1 Like

Very, and not at all at the same time. It depends on how much power you’re giving them, since they only pass a message, the message only has as much power as it can command the server to do. The message should be more along the lines of a request and not a demand. If I tell the server to buy something, it should be a request that the server determines I can do, not a demand that the server does immediately without checking if it should even be able to do such and such.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.