How to prevent exploits

A good way is to keep track of what amount players have and if it gets suddenly changed without the server knowing it will stop it.
But if you keep them all in server owned stuff it should be harder for them to exploit

1 Like

Well the best way to prevent exploits is to make it more highly secured by adding more and more code that prevents unsual things from happening. If they change the money value, kick them, if they are flying, jumping, speeding, kick them, etc. You can do these by checking the player’s Humanoid and the player’s Backpack.

local player = game.Players.LocalPlayer

player.Character.Humanoid.Changed:Connect()

something like that.

2 Likes

If a client changes their leaderstats it will only be visible to them.

So you should be safe as long as you don’t use code that evaluates leaderstats on the client side.

3 Likes

I have tried the method if the player value changes kick them. But then, my problem is, how do you make the system know, if it’s not changed value by collected values as in collected coins. Then don’t kick.

If your leaderstats are being exploited and the whole server can see the changes then you have unsecured remote events.

That, or a backdoor could also be present.
I would recommend searching for it.

Check if they gain more {Value} then they are suppose to get.

Yeah, as IEnforce_Lawz said it’s server sided. I would check the player’s money in a script. A way you can check if the player has got money by the game or not is if statements or variables. A example would be if a player won a race he got coins and you can add a variable that turns into true. When the coins value changes you can check if that variable is true, if not he’s probably exploiting.

1 Like

And how do I evaluate a balanced stable terminology of values, that is defined for cash that you have collected for an example, differing from exploit values.

That is very helpful. I will look into trying this method.

1 Like

I read a really good article on this.
You can fire a unique “Add Points” or “Subtract Points” to the server, and keep it a set amount. If need be, you can add a key to make different events.
For Instance:

-- Add 50 Points
CoinEvent:FireServer("POINT_ADDITION_X3456") -- or whatever key

There’s no actual way to prevent it. It all depends on how you set up your game and how to protect it since you understand your game the most.

2 Likes

do not trust the client, always make them on the server and remember that an anti-exploit will never stop them, they will always find a way. you just need to patch it whenever it breaks or hire moderators to help you.

2 Likes

Exploits occur client sided. (Like synapse, the script is local.) So trust the Server to check a player’s leaderstats. If you use the client, you will have the player’s exploited stats.

1 Like

If the leaderstats is created through serverscriptservice and is handled by a folder called leaderstats on the client side to each player. How do I then avoid this issue?

Well firstly, leaderstats handled client-side, depending where they are parented, won’t matter to server because server won’t see those changes. Instead, create a new system where server creates, modifies, and outputs values to clients. A simple example is:

  • Placing leaderstats in workspace.
  • Server uses the leaderstats values for modifying and verifying.
  • Client can see the values as they change as well.
  • If client changes those values, it won’t matter because it won’t replicate to server.

Use remote events (firing server) so that you can check its leaderstats are legit.

But, there are tools like remote spy for finding the event and if it’s being fired from a local script, they can access it and get the key.

What I mean is, something like this:

Event:FireServer("XD_Ef24")

Is that exploitable?

Screen Shot 2021-03-21 at 4.25.02 PM

Remote spy shows arguments, so they could see

"XD_Ef24"

1 Like