Overall, great stuff! However, I would re-consider a few plausible problem scenarios:
When you cast a ray with Mouse.Target or similar, you are shooting a ray out as far as it can go. In contrast, the Raycast method offers a maximum distance that you can set. This distance check by itself could be used in the client validator for when to play the animation.
You are waiting for the server for validation before the animation is played. This may get slow when waiting for a server response, and since the animation is played through the client anyway, if an exploiter really wanted to, they could just play the animation right away.
Try to make sure you use GetService and then WaitForChild for remotes to load in, in your case ReplicatedStorage, server and client side.
Raycast offers better part filtering, so you can filter out multiple parts and models in a list rather than only ignoring that 1 model and its descendants. So, you can ignore your own player model (which you should do) and also for example certain projectiles / other that happen to stand in the way of the mouse ray.
Hi, I appreciate you sharing suggestions with me! but although I do have a few questions.
You said that if an exploiter really wanted to, they can just play the animation right away. But I also heard that playing animations on the client is far better than playing them on the server.
If you dont mind answering, Is there really any way to prevent this? because what if I connect a :GetMarkerReachedSignal() to the same animation which will send something to the server as soon as it reaches that animation event.
An exploiter can just play the animation and that :GetMarkerReachedSignal() connected to that animation would still run.
If you know any solutions or suggestions to prevent this, please let me know!
Definitely remove the InvokeServer call, it is incredibly slow to wait on the server especially for something like a distance check.
An exploiter does not need to play the animation to send GetMarkerReachedSignal, they can just send it. You need to validate on the server connection that the player is allowed to do what they want to do. We would need to see your remote event code and more context to help prevent exploits. In general the client must ask the server to do something, all events must be “can I get 100 bobux” not “give me 100 bobux”.