Questions regarding Exploit-proofing a game

Alright, so I am in the middle of writing an Anti-Exploit script for my game. This will be the first time I’ve paid any attention to vulnerabilities to scripts. Here is a few things I’ve done so far.

Leave VERY little to the client.This includes buying items and displaying information sent by the server.

This is my current anti-exploit script that is a huge work in progress. Keep in mind I’ve never done this style of coding before, I am purely going off what I’ve read and heard.

--[[ Items to check

PlayerSpeed (DONE)
Abnormal time in air(DONE)
Gaining money extremely fast
Comparing Client and server money
Comparing Client and server XP/level
Check if the HumanoidRootPart is there(DONE)
Check if the player is invisible
Check if the player TPs


local MaxSpeed = 50

function Warn(plr)
	if plr:FindFistChild("Warning") then
		if plr.Warning.Value == false then
			plr.Warning.Value = true
		elseif plr.Warning.Value == true then
	elseif not plr:FindFistChild("Warning") then
		local warning ="BoolValue", plr)
		warning.Name = "Warning"
		warning.Value = false

local Event ="RemoteEvent")
Event.Name = "CheckEvent"
Event.Parent = game:GetService("ReplicatedStorage")

		while wait(1) do
			if chr.Humanoid.WalkSpeed >= MaxSpeed then
			-- PlayerSpeed Check
				local CurrentPos = chr.Head.Position
				local NextPos = chr.Head.Position
				local distance = (CurrentPos-NextPos).magnitude
				if distance >= MaxSpeed then
			-- Anti-Fly
			for i,v in pairs(chr.HumanoidRootPart:GetDescendants()) do
				if v:IsA("BodyMover") then
			-- Checking to see if HumanoidRootPart exists
			if not chr:FindFirstChild("HumanoidRootPart") then
				chr.Humanoid.Health = 0
			-- Checking Stats and comparing Client to server. 

As you can see, I still have about 5 items left to check, I was getting ready to start comparing Client and server stats inside of the player, and my main question I guess, is it even worth it? If the client(exploiter) goes into the player and gives himself money, it would only show on the client correct?

Meaning I could fire a remote event to return the money the client has and compare it to the money the server thinks the client has. Would that be worth doing or will the server read it as the hacked value since its the player object?

Another question, how would I go about preventing teleporting? Normally it’d be pretty easy except for the fact that this is inside of a mini-game… Meaning that the player will be teleported by the server automatically.

Any help is appreciated.

1 Like

The WalkSpeed check and BodyMover check don’t work because neither the property nor objects replicate to the server. You also don’t need to check if the values displayed on the client are different than the server because as long as the server values are untampered, they’re only visually changing things. It’s akin to clicking Inspect Element and changing stuff around; the server doesn’t care.

I’m not sure if there are any cases where HumanoidRootPart would be missing, but the distance check seems alright although prone to false positives from laggy players. It might be better to teleport them back for something like this rather than warn/kick.


I agree with the not kicking the players for teleport detections part. Kicking players is only going to give them a bad experience. I know one game that does this, and it’s a pain in the rear. The game in question that does this is “Reason 2 Die: Awakening,” by the way. Their entire anti-cheat is just one hot mess.

1 Like

It’s not worth comparing the 2 values, but in the interest of speed you want to check the values on both sides. Let the client check if the money is enough on their own, and if they think it is, check again on the server. This lets the honest clients save server resources by checking on their own whether they have enough money, and still stops the dishonest clients.

If you want to prevent teleporting, just do a basic check whether they’re supposed to teleport or not, and only do anything about it for really egregious examples. If you want extra surety, you can also check for multiple instances, check ping to make sure it’s not lag, or just make it alert a staff member to check on it.


Hey instead of using walkspeed for checking try using Velocity.Magnitude

I haven’t found a way to completely counter a way off exploits but naming all your events something totally random is something I advise.

No, don’t do that. That type of practice is called “security through obscurity” which isn’t true security in the first place. You should improve your client <-> server communication instead of applying a band-aid over poor communication.

And plus exploiters will probably know how it works based on arguments alone.


I’m pretty sure exploiters can remove the HMR and it’d work fine. Since they have ownership of their character anyway, they can just fix any mishaps that goes with removing it either way.

I like to use the head instead as trying to destroy it would instantly kill the player.

The main concept for speed anticheats is to check how fast you’ve travelled since last check, and find out whether that speed is above your allowed threshold.

As for flight anticheats, I just raycast downwards and infront (as I have climbing mechanics etc), and make sure they’re actually in the air (and not in bodies of water for instance).
From then I check how long you’ve been in the air - if you’ve been in the air for over X seconds, then you’ll get kicked. If you’ve stayed on the ground for over X seconds, the timer gets reset.

Obviously there are other methods, but this is mine :slight_smile: