Preventing exploting from client side minigames

Unfortunately because of the way you’ve setup the game on the client so far I don’t believe there is any way to combat exploiters here.

If I think of one I’ll let you know.

1 Like

As ArticGamerTV said, you can stop exploiters from saying they created a million pizzas by sanity checking the result at the end - whenever a player starts a minigame, record the time on the server using os.time, and at the end work out how long they were playing by subtracting the recorded timestamp from the current one.
If the player claims to have cooked more than 2 pizzas per second (or whatever you think the fastest a human can cook a pizza is), they’re exploiting.

If you want to keep the server mostly uninvolved, that’s about as far as you can go.
Putting more of the minigame’s logic on the server lets you include more checks that the player’s inputs are all possible, but exploiters can lie about anything their client does, so the exploiter can always send well-crafted remotes and inputs to play the minigame perfectly.


If you want to prevent exploiters from abusing your game, you need to do sanity checks on the server and log specific actions.

I don’t see the problem with logging each pizza a user has made on the server. There is literally no downside to that and is the only way to prevent someone from abusing the Minigame.

If I had an event that fired every time a pizza was made a player could just fire that event a hundred times to the server. There’s no way for me to do any checks on the server for how many pizzas a players made. The pizzas spawn in on the client

I’d be careful with this.

A common mishap in a developer’s exploit checking is believing players are only as good as the developer is.
Some people are just really, really good at certain things that are hard to believe. Striking them down for having near-exploit level techniques or skill is a really negative thing to be doing. Especially if the game is targeted to kids, and some smart adult excels in it.

TLDR, if you do this method make sure you don’t underestimate people too much


You could then use that information to store it in a table or something so that whenever the event is fired the player gets stored and if they get an absurd amount then you could act accordingly. However, I agree with @lysandr on what they are saying about keeping the limit on a reasonable level.

The limit is 30 pizzas, so I already am checking on the server to make sure that the highest a player can make is 30, but an exploiter could still just start the game, fire event for 30, rinse repeat

If your minigame is simple enough, log the input actions of the player on the client and handle the entire minigame on the client. Once the minigame is done locally, send the table of input actions to the server and have the server run a simulation with the input actions to determine the real score.

Add a cooldown for how fast you can do the minigame and you want to add some more server checks to verify if the person is actually doing it legit which will slow them down a bit.

1 Like

This is what I have written first but okay, I agree with you men.

Yea I was agreeing with you cause I don’t really know what else you could really do.

I mean yes it’s easy, simple and also useful to create this. It’s not really complicated in other words.

Here is a little suggestion, you could have a local script copied into the player when the mini game starts (Or during the mini game) as a little check to see if they are making pizzas too fast. If you can copy it without the exploiter knowing, that could be used. The best protection would be remote events and having server sided checks.

Exploiters can modify anything client side. Period.

This method would work as a temporary band-aid, but could easily be worked around. Exploiters can prevent remote event data from sending, send certain data, and even modify local scripts.

1 Like

@kingerman88 The client can be modified in any way. Exploiters are not limited by any boundaries put in place by Roblox meaning this is not really that effective.

What I do in this case is act like the server is the client. All of this client code will run on the server with some scaffolding in between to tell the client what to do. Reducing lag is a bit hard to do but if you share code between the client and server and somehow “sync” the client with tick and a little math or “prefire” events to happen at a specific time you can solve this issue. When the client makes an input or tries to do something it’ll notify the server and the server will just mimic the action the player wants to do server sided as the client visualizes this for them and then the server can resync the client again (e.g. by telling it an object wasn’t really deleted).

1 Like

I am not saying that you are wrong but that doesn’t mean that your idea will work forever. Once it is found it’s as easy as doing script.Disabled = true in rbxlua but a lot of exploits will offer extra functionality. One of these I think I heard about was the ability to literally change Roblox functions. That means any function could run lua code, accept different arguments, and return different results. In that case by hooking a function in the right way they can use coroutine.yield to pause only certain parts of your script. Another of these is the ability to easily set the values of locals and variables referenced by functions.

It doesn’t matter what your script does. It will be bypassed rather quickly and there’s no point in wasting time with client side checks.

The problem with that is, you are making the client tell you when the minigame is done. Thus an exploiter could just fire the remote event when ever he wants to just bypass the minigame.

It’s a client-side minigame. You kind of have to rely on mutual trust while also not doing so, hence the need for various security measures on the server’s end and a process that the client should be abiding by for the sake of minigame security.

I’m still confused, I’m kinda don’t play Roblox games. Could op link the game.

OP is asking how to prevent exploiting on client-side minigames. A game link wouldn’t do much here, nor do you need to play any games. The idea is to try and provide a response that helps OP resolve their given issue. Try checking out the Scripting Support category guidelines for information on this category.