Somebody exploiting leaderstats in my game

For reference in case anybody has a Remote Event Spy or whatever those are called and are able to find the problem as I’m looking into it - here is a link to my game:

I’m unaware of what Remote Event could be causing this problem as this is a completely new problem that we’ve never had before, so I really don’t want to believe that it could simply be an unsecure remote event. If anybody has an idea of what else could be happening? Otherwise any help towards fixing this is HIGHLY appreciated:

They are able to exploit the following: EXP, Prison Time, and Rank Name — Seeing this is all a part of leaderstats this makes me think that all that could be happening is a leaderstat Remote Event is not secure?

Could you explain when this remote is fired? I can help you find the remote but I would like to know when it can be fired so I can see the arguments passed

If you’re using remote event then the possibility of an exploiter firing it is pretty high so I suggested you to not use a localscript in adding point

Here are the following I’ve found that use a Remote Event for leaderstats:

		wait (20)
		local plrRank = LookRank(plr)
	if plrRank == 5 then
		if plr:WaitForChild("leaderstats"):WaitForChild("Experience").Value >= 30 then
			local OldRank = "Private E-1"
			local NewRank = "Private E-2"
			game:GetService("ReplicatedStorage").GG:FireClient(plr,"Promoted","You've been promoted!","Congratulations, System promoted you from "..OldRank.." to "..NewRank.."!")

^^ EXP System’s API

print("Script Running!")

game.ReplicatedStorage.Demote.OnServerEvent:Connect(function(player, name, send, money)

if player:GetRankInGroup(4219097) >= 60 and player:GetRankInGroup(4219097) > send:GetRankInGroup(4219097)and money > 0 and money <= 500 and send.leaderstats.Experience.Value >= money then
	print("Working Demotion")

    send.leaderstats.Experience.Value =  send.leaderstats.Experience.Value - money

^^ One of my scripts for the demotion tool only High Ranks should be able to use ---- money clearly refers to EXP in this.

There’s a bunch of stuff that handles my leaderstats in my “setup” script - but none of them use Remote Events?

Are users with rank higher than 60 abusing this? Or just anyone? For the GG event, it’s listening for OnClientEvent which is impossible for exploiters to fire.

Rank 60 is Captain+ so I’d find it hard to believe, but it’s always possible - frankly we don’t use the demotion tool much anymore anyways. However, there’s a check to make sure it’s less then 200 in one increment and they are changing them by the millions? I suppose they could always be spam firing this.

I’m still having an issue with this - even after removing the “Demotion Tool’s” EXP script that used a Remote Event.

You probably might have a backdoor in your game where exploiter can mess with your game?

I’ve actually figured it out. It was a very old script I had added called “ChangeValue” it virtually gave anybody with an injector the ability to change any leaderstat in my game. I added this so long ago I hadn’t even thought about it - some decently intelligent exploiter finally came around and found it. Situation fixed, haven’t had a problem since! Thanks for all the help though guys!

1 Like

Glad you figured it out. Charac 30

1 Like