Leaderstats Anti-Exploit

I’m definitely sure that leaderstats are just vanity and not true value holders, they are simply displaying what a player has. Exploiters do not have direct access to the values.

Server-sided values are replicated to leaderstats. I have no clue why you’d bring Roblox Jailbreak’s system.

Then how they manage to exploit it, any ideas? Since you said they don’t have direct access to the values.

It is because you have an exposed remote which leaves it vulnerable to changes, as aforementioned. Remotes are visible to clients and they may fire anything into it.


We can confirm it is an exposed and badly secured remote.

  • No backdoor plugins
  • No freemodels.
  • No other access points.
  • Values are still changing on server from an exploiter.

I advise against anti-exploit for this part on client. However, you should install the anti-exploit on server as it is the most safest environment out of an entire game.

Are scripts safer in ServerScriptService than in other place in game? Yes I definitely consider making AntiCheat in server.

If it’s a server script, yes. However, exploiters can’t change them as they are always server-sided regardless.

For local scripts, it’s a different case.

Can exploiter change, who fired event? When client fires :FireServer(). Server gets player, can client change who fired it?

Unfortunately for the exploiter, that parameter cannot be changed.


Why don’t you look around here?

Ok, thanks. Rightnow I have enough information for my Anti-Exploit.

I am late and im a sick a little bit, anyways if someone else didnt said,

if ur doing serverside check, they cant change thair leaderstats or whatever, it wont work
if ur using localscript, they can bypass it and give whatever they want.
so basically use globalscript for leadeerstats

You said you have a remote which subtracts money. Do you check if the value given is negative like other users have asked? You haven’t mentioned this possibility yet. This is most likely what your problem is based on what you’ve told us. In the future you should never handle leaderstats on the client since anything on the client can be modified, spoofed, etc.

I wrote an article on creating anti cheats. How you should secure your game - A beginner guide for secure networking and developing anticheats - #44 by The_Woozoo

If you’re looking to create an anticheat I’d suggest taking a look at it as well as other resources you can find.

This is unlikely to be what happened.

If you are aware of an exploit capable of doing this, please report it privately to the Exploit Triage Team.

I asked exploiter if he could show me how he did it exactly, but he didn’t want to. So I have no information about exploit he used and how exactly he used it to do that.

Hi,

I was referring to the alleged ability to run the server console as owner, which has not been previously discovered.

Your issue, I believe, is likely down to insecure events, as described by other members.

Couldn’t he run a loop that would increase his in-game-currency by Lua executor exploit type? Maybe I think he has some sort of exploit level 7

No. This is not possible with Filtering Enabled.

Do you know why exploiters can use “loadstring()” even with loadstring set to false?

Because they have their own environments. It’s pointless trying to limit what they can access clientside in most situations, since their changes can’t normally propagate to the server.

Maybe this will be off topic, but let’s assume I have made a game where there is no teleporting used in scripts or localscripts. What are some ways exploiter could teleport? I know only one way they teleport through changing their x,y,z position of RootPart like HumanoidRootPart, Torso.

They can change their position with the :MoveTo() / :SetPrimaryPartCFrame() functions of models.

Basically, they can do whatever you could do with a LocalScript (plus a little bit more) - assume anything on the client side can be read, copied, changed, or disabled by an exploiter.

thats not possible but they probably used an exploit called dex with allows you to see thru your game files
its like an off brand of roblox studio -they cant see ServerScriptService or ServerStorage
they can view local scripts but not change them