How to sanity check a gacha system

as title states, i have a gacha system which randomizes what the player gets on the click of a button.

first, the client does math.random and checks which category of rarity it rolled to, and then randomizes out of a list of items in that rarity. i know that i should be doing this on the server, but because it needs to change some UI that pops up based off of the item they received, i figured it would only get worse if i did it on the server (because then i’d have to fire client from there and more opportunities to exploit that)

after everything on server side is done, it fires server in order to add the item to the player’s inventory. i tried looking for ways to encrypt or do a sanity check of the name of item received (which is passed through the event), but im very lost and surely there must have been a way to do this?

on a side note, im having trouble finding a way to make a sanity check for my purchase system as well, where it does processing on the client and then fires server to deduct the price. i’d used a dictionary of name of item to price and checking that name of item purchased is the same as price, but i figured they could just modify that in the event. any help? thanks!

I don’t think rolling random drops on the client is anything close to a good idea. You really should just use a UI flow that allows for the client to “indefinitely” wait for a response from the server with the received item. This also avoids the problem of needing to validate the rolled item (which would be otherwise impossible if it is rolled client-side, how exactly are you supposed to know they’re not rigging the odds in their favor?).

i see… i will def change the system to work from a server script. from some researching though, i believe exploiters can still mess with arguments sent through fire client? though i may be wrong.

Exploiters can obviously change the information they receive from the server, but that does not matter when the server already knows the correct item the player received. If you need to validate a player’s ability to “use” (whatever that means in your game) the item, then do so by checking whether the server’s copy of the inventory has the item, and if not, do something about it (such as just flat out ignoring the item’s usage, or if you have reason to suspect foul play then kick the player).

thank you so much! i never thought of doing that.

1 Like

Something to add, I would probably be lenient with kicking players for inventory mismatches and instead opt for overwriting the player’s inventory (or just the slot in which the incorrect item was detected) with the correct inventory. If it keeps happening then maybe kick the player, but you need to be sure that it isn’t your game causing the desync. I wouldn’t constantly poll for mismatches (exploiters could simply alter this behavior anyways), just only check when required (e.g. the player performs an action using an item).

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.