I’ve been reading up quite a bit on preventing exploits within a game. I’m still unclear on the following case though.
Let’s say I have a tool (a sword, for instance). Within that tool, I place a localscript that is responsible for running an animation. Also within that tool, I place a non-local script. That script would be responsible for detecting a collision with an NPC, and then firing a bindable event that ultimately handles damage.
I understand that localscripts are exploitable. However, what about the other script in this scenario? Is this a secure, non-exploitable way to handle dealing damage?
Secondly, what about modulescripts? If I tuck damage handling away in a modulescript, is that exploitable? Is there anything that would prevent an exploiter from simply requiring that modulescript and calling it however they please?
How a module script behaves is dependent on what type of script is executing code from it. If you call it from a LocalScript, the module script behaves like a LocalScript, and vice versa for normal scripts.
Normal scripts cannot be manipulated in the same way LocalScripts can by the client, so your method is pretty safe.
In the modulescript case, I understand what you’re saying in terms of how it behaves. However, let’s say I use a localscript to pull in a modulescript. Does that modulescript become “editable” by an exploiter in the same way a localscript can be?
Im not sure if it has to do with editable or not. Either way, they can insert a copy of the script with changes as they desire.
If they are editable and you are wondering if this was changed while the server accessed the module, you have not to worry. This is because the script is not a single object. Your client and the server have copies of it. This being said, normally, an exploiter cannot force a server script to read an edited module, unless, for some reason, you had a backdoor.