Protection From Exploiters

• What does the code do and what are you not satisfied with?
  My code is a server-script which handles money per click for in-game currency. The script gets fired by remote event from client side and checks value inside player and the one which was sent by client, if these are not equal then player gets kicked out. I want to know if it is a good protection from exploiters.

  • What potential improvements have you considered?
    Maybe it could be much more secure and professional, that it is right now.

  • How (specifically) do you want to improve the code?
    I want to make it more professional and secure. (if it is possible)

--//SERVICES
local PS = game:GetService("Players") -- Players service!
local DS = game:GetService("Debris") -- Debris service!
local TS = game:GetService("TweenService") -- TweenService!
local RS = game:GetService("ReplicatedStorage") -- ReplicatedStorage Service!

--//FOLDERS
local EVENTS_FOLDER = RS:WaitForChild("Events") -- Folder where RemoteEvents live.

--//EVENTS
local NormalClick_Event = EVENTS_FOLDER:WaitForChild("NormalClick") -- NormalClick Event
local Change_Value_Event = EVENTS_FOLDER:WaitForChild("ChangeValue") -- ChangeValue Event (not used yet)
local MegaClick_Event = EVENTS_FOLDER:WaitForChild("MegaClick") -- MegaClick Event (not used yet)

NormalClick_Event.OnServerEvent:Connect(function(plr, CPC)
	--Values
	local TRUE_CPC = plr:WaitForChild("COOKIE_PER_CLICK") -- finding true Cookie Per Second's value
	local COOKIE_COINS = plr:WaitForChild("COOKIE-COINS") -- Cookie Coins value. (in-game currency)
	
	
	--Protection From Hackers
	if TRUE_CPC.Value < CPC or TRUE_CPC.Value > CPC then -- if True cookie per second's value is not the same as the one sent by client then kick player.
		plr:Kick("ANTI-CHEATER: EXPLOITING. (If you didn't exploit contact us)") -- Doesn't ban players just in-case it was a in-game bug.
		return -- Returns so code will not run further if exploiter is kicked.
	end
	
--Main Functionallity
	COOKIE_COINS.Value += TRUE_CPC.Value -- Adds int-value, equal to TRUE_CPC value to cookie coins
	
	print("CPC: "..TRUE_CPC.Value, "COOKIES: "..COOKIE_COINS.Value) -- Print's out some information for testing purposes
	
end)

Your creating the problem by allowing exploiters to send the CPC through a Remote. Just store it on the server.

you already have the CPC value saved on the server, there’s no need to send it through the remote lol

it could just be a honeypot to bait exploiters into manipulating the value so you can catch them in the act

that makes sense, but it doesn’t have any exploit logs unless something was commented out of the example script

No it isn’t. An exploiter can call this remote event thousands of times per second, without the use of a macro. You should add a debounce to this remote event.

local storage = game.ReplicatedStorage
local events = storage.Events
local click = events.NormalClick

local debounce = false
click.OnServerEvent:Connect(function(plr)
	if debounce then return end
	debounce = true
	local cpc = plr.COOKIE_PER_CLICK.Value
	local coins = plr["COOKIE-COINS"]
	coins.Value += cpc
	task.wait(0.05)
	debounce = false
end)

That debounce is universal when it should be on a per-player basis

Ah, I assumed this was a singleplayer game for some reason.

RemoteSpy gleefully defeats your mechanism.

If you want to protect your game from remote spam, process all clicks in the server. RoVille does it with its answer selection buttons.