Securing a remote event from exploiters

I saw the other day that exploiters can you remote event listeners to find and execute important events so I wanted to secure mine. I created a key system that uses a complex math equation that shouldn’t be guessable by the average exploiter generating a new key each time that is compared with the servers version. Would this provide adequate enough protection?

Script: (local)

local times = game.Workspace.eventListeners.iterCount.Value
local key = (times + 3 / 3 * 46 /24 + 67 *1 - 2 / 3)* 345 / 52435
game.Workspace.eventListeners.moneyHandler:FireServer("sallary",  key, 0)	

Script: (serverside)

local times = game.Workspace.eventListeners.iterCount.Value
local key = (times + 3 / 3 * 46 /24 + 67 *1 - 2 / 3)* 345 / 52435

if key == sentKey then
	if action == "sallary" then
       (code)
	end
else
	warn("Potential exploiter. Key not right")
end 

game.Workspace.eventListeners.iterCount.Value = game.Workspace.eventListeners.iterCount.Value + 1

Thank you. :slight_smile:

1 Like

No, give up on protecting remotes, it’s best to design your client-server model around server authoritative actions where everything crucial is checked on the server, and the client just asks questions.

I wrote a post with info and general tips a while back.

Also, the compiler folds most of your math expression into a single number before the client even receives it, so the client would just see that number and an operation or two.

11 Likes

It would be a good idea to assume the exploiter can see any arguments that are being passed through events, so hiding things behind a key might not be very useful since they can just use the key themselves.

What I would do is try to structure my game in a way such that exploiters cannot control important game logic through remote events. Basically the client only sends signals along the lines of “I want to do this”, then the server goes “Let me check if [player] should be allowed to do this.”

1 Like

An exploiter can theoretically mimic anything that your legitimate client scripts could do to prove their authenticity. It’s best to perform sanity checks from the server side to ensure the remotes aren’t abused.

2 Likes