How to secure remote events from exploiters

Hello. I’ve had an issue in my game, and I’ve seen a few exploiters using remote events to earn money without actually doing what you need to earn the money. They just fire them off. How can i prevent this?? I know i need to “check on the server side”, but how would i go about this? what does that mean


This is hard to answer without context, every case scenario can be different. How do players gain money in your game may I ask?


Basically they complete an obby/quest, and when they are done they click a GUI button, which that button fires off a remote event. I then have a script in server script service which gives them the money.


You can use a magnitude check where the obby ends. Players could teleport to the end to get easy money so you can check their distance each frame and if it’s above a certain threshold you can teleport them back.

What is a magnitude check? (sorry i am not very good at scripting)

It’s an if statement checking if the distance between two positions is smaller or equal to a threshold.
For example:

if (a - b).Magnitude <= 10 then

Magnitude is a great way of validating remote firing for Obby as well.

I know i need to “check on the server side”, but how would i go about this? what does that mean

For example, you can check out this:

RemoteEvent.OnServerEvent:Connect(function(player, taskType)
    -- Validate the task was truly completed. This can be a complex or simple check.
    -- Maybe check the player's position, their game state, recent actions, etc.
    if validateTaskCompletion(player, taskType) then
        -- Decide the reward
        local rewardAmount = 1000  -- or determine based on task type

        -- Give the reward
        playerData[player.UserId].money += rewardAmount

function validateTaskCompletion(player, taskType)
    -- Your validation logic here.
    -- Example: Check if the player is in the correct location or if enough time has passed since their last task.
    return true  -- or false based on your conditions


This is untrue, the client can access already existing scripts.

1 Like

So then what else should I do?

They told you two times a good option…? Basically:

Client fires server when client reaches the end:

Server checks that client is withing X amount of studs from the end. If not the Exploiting or lag, if yes then give the money.

Hi. I started doing this, then realized it wouldn’t work because when a player gets to then end of the obby, it teleports them to start, and shows them a gui on completion, which they click the button and it then fires the remote event. Do you know any other ways I could do it? Like should I make it so if the remote event is fired off too many times in a certain time frame the player is kicked/banned?

when you touch a part in the end change a boolvalue inside the player to true
something like ReachedEnd.Value = true the script needs to be a server script
when you send the remote make the server check if the value is true

couldnt the exploiter just fire off the “reached end” remote event so they can fire off the actual ones?

Why don’t you just fire another remote when they get to the end before teleporting? Then you can save a variable on the server saying they completed it with the magnitude check, and in the other remote you just check if that variable is true.

there is no reached end remote i never said that.

@5uphi provided an insightful response to a topic similar to this and provided 2 videos that go over Exploit Security and Replication that I recommend you give a watch :+1:

I would try making say a code then on the server you can run a calculation to check if that code is a certain number e.g Client Send 4566564324354, Server times by 0.5 then divides 100 . If it is not the set value then kick the player

How? There is nothing Different about any exploitation of a RemoteEvent, and all of them have the Same solution. Which is “Sanity Checks”, the context does not matter here if the solution will be the exact same.

Sanity Checks are basically juat validating the info, to make sure its true, with RemoteEvents of any kind going towards the Server, it is always best to assume what the client sends is completely false, as it can be manipulated by it.

What I meant was every sanity check can be different.