I’m about to make it. But I need to make sure this kind of anti-exploit can actually stop events being fired by exploiters. Here is my way:
There is a access code in the sever. If a localscript want to fire an event, it needs to provide the correct code in order to fire it. And the access code will be changed every second.
I’m pretty worried that exploiter might be able to see what’s inside workspace/serverstorage.