Like the title says, people have found ways to use metatables in exploits to get data being send over a remote event and alter it to benefit themselves. if there a way to detect or stop this?
No there is not a way to detect this. Don’t let that be a concern though; if your backend is secure then their remote spy won’t actually be useful.
While a table’s metatable can be detected using getmetatable(), data being sent over the network loses its metatable and will not be accessible. You need to implement sanity checks on the server end to verify the viability of the data being received.
My problem is that I use the client to detect distance traveled from point A to point B to get clean and well calculated distances traveled after a player hits another. If this number is greater than 40 it’s a bad thing, and people alter this to make it always equal to a number between 20 and 39. I tried doing this on the server but because of latency the numbers never made sense and it looks really bad from the players perspective.
OP is talking about how some exploits might change __namecall to intercept remote calls to FireServer and InvokeServer so they can be logged (“remote spy”) to aid in their scripts, not about sending over tables that have metatables.
The exploit for my game that I was sent, to my knowledge, checks the remote event for hits, and makes a table of all data sent over the event. Then it alters it based on if the distance is not in their favor to be in their favor. Don’t really know if that info helps, I’ve never worked with metatables
If the remote events related to your datastore are eligible to be abused like this, then you likely aren’t doing enough security checks on the servers end or the way the remotes are being used is too dependent on the information from the client. If your data is being altered somehow by a metatable, perhaps you could try to use Lua functions such as rawget() or rawequal() to avoid checking for a metatable when checking through your tables on top of security checks although I’m not really sure how they’d be doing this in the first place.