I’m new to Roblox game designing. I’ve completed a number of Roblox learning courses and watched a lot of videos as well. I’ve notice in these videos/courses that they set up a game so a player’s money value is kept within their leaderstats, as a number. Isn’t a player’s leaderstat kept client side? If so, then isn’t the leaderstat and its values subject to being hacked and changed client side? Server side Scripts are often used for purchasing items to prevent client side purchase hacks. But in the videos, those server Scripts end up referencing the player’s leaderstats for the amount of money a player has. A player could hack their leaderstat money.value to a huge figure and it would look fine to the server purchase Script. The player could purchase as many items as they want. If my line of thinking is correct, is there a better, more protected place to keep the absolute source of a player’s game data (like money) during game play? Leaderstats could reference that protected data for its number values. Purchasing scripts could do the same. Thoughts?
Leaderstats can be changed client side, but you can have only the server read the values for important reasons like spending money and such, so exploiters can only change the value for their client, not the server.
So your saying that a hacker can only affect their own leaderboard. But, that still allows them to give themselves money and make a tons of purchases, right? The server purchase Script is still going to read their hacked leaderboad, with modified money values, to permit illegal purchases for themselves, right?
I believe it will act like when you edit your data from client in studio testing were it puts the player into negatives or just dosen’t allow the transaction since there handled by the server.
I believe you. Help me to understand what’s going on behind the scenes and fill in the gaps.
Player touches a reward which updates their local leaderstats money.value. Now they have $50.
Player initiates a purchase of $100 by clicking a button on their screen. The button has a local script which will trigger a RemoteFunction, which is picked up by a Server purchase Script.
The Server purchase Script looks at the player’s local leaderstats for the money.value to see if there is enough money for the purchase.
There’s not enough money, so the purchase doesn’t happen.
Player breaks out their hacks and modifies their local leaderstats, changing their money.value to $100,000.
Player initiates the purchase again. The server purchase Script reads the player’s local leaderstats for the money.value and believes the modified value. The purchase is completed.
In that explanation, where is my knowledge lacking for how the server purchase Script will determine if the player has enough money?
The Server purchase Script looks at the player’s local leaderstats for the money.value to see if there is enough money for the purchase.
This is not the case, the server script triggered by the remote event will look at the player leaderstats values on the server, not the client.
Any changes to the local leaderstats values made by the cheater will simply not exist on the server as these values replicate from server to client, not client to server.
To answer your question, yes, it is fine to store player data in leaderstats, just make sure you only read it from the server scripts when making decisions.
Thanks for the insights. This is new knowledge for me. I didn’t know that there are two copies of player data, one locally and one on the server. The Roblox Studio Explorer tree doesn’t clearly show that this data is duplicated for server reference.
No problem. I remember it being a bit of a learning curve for myself on the exact same issue. Had me scratching my head until I figured it out with some helpful forum posts.
There is a helpful article on the developer site that tells you all about it.