Hi Developers! 
Today I stumbled upon an interesting question: are attributes in the Player Instance safe? Like if I take values from these to server and make some calculations (like rewards for kills), is it vulnerable for exploiters to make something bad out of it?
Maybe you know some ways to counter that if this way of exploiting in games is possible? I’d very appreciate any help provided!
if you’re adding attributes to Player objects from the server, and only changing them from the server, then there’s nothing exploiters can directly do(changing attributes doesn’t replicate)
but if you use remotes to change them from the client then ofc exploiters can try some things
Anything clientsided = exploitable
Anything serversided = not exploitable
serversided stuff are only exploitable if u have really horrible vulnerabilities between how the client and server perform actions together
This comes down to who has authority over the data. If it is stored and read by the server what the client sees does not matter. If the client modifies an attribute it may appear correct on their screen but will not necessarily be the value the server uses.
If you’re looking to avoid exploiters…
Player attributes are not an exception as this applies to everything. Always use server scripts to read and write important game values such as kill counts rewards and stats. Do not trust data from the client unless validated on the server for data such as these.
If the server can already see the attribute then just use the server to get the data instead of having the client send it over.
If attributes are required by a server-sided script and doesn’t use an remote event from client > server. If your game USES local scripts, then i’ll reccomend to make some validation method.
Thank you all for the feedback! According to what you’ve said, I can confirm that my game is safe from global game changing exploits! I can’t even decide to whom am I going to put a solution 
That’s what I get for rewriting that six times. But this is key information to know. Glad so many understand this. I actually hit on this a while back when I noticed my client script could not really change a value set by the server, even though it looked like it had.