Stamina System (Exploitable?) (Apologies for the long code and indentation!)

HARD_PHASER · April 17, 2020, 10:16pm

Hey Everyone,

I made a simple sprinting system with stamina yesterday, but I wasn’t satisfied because I know it can be exploited.

Here is the code:

local userInputService = game:GetService(“UserInputService”)
local runService = game:GetService(“RunService”)

local player = game.Players.LocalPlayer
local playerGui = player:WaitForChild(“PlayerGui”)
local staminaGui = playerGui:WaitForChild(“StaminaGui”)
local mainFrame = staminaGui:WaitForChild(“MainFrame”)

repeat wait() until player.Character

local character = player.Character

local speedModifier = 2
local sprintCost = 0.2
local running = false

local Stamina = 100
local currentStamina = 100

local oldWalkSpeed = {}

local debounce = false

spawn(function()
while wait() do
mainFrame.Status.Text = math.floor(currentStamina)…" / "…Stamina
end
end)

userInputService.InputBegan:Connect(function(input, gameProcessedEvent)
if gameProcessedEvent then return end

if input.KeyCode == Enum.KeyCode.LeftShift then
	
	if debounce == false then
		debounce = true
		if currentStamina > sprintCost and character.Humanoid:GetState() == Enum.HumanoidStateType.RunningNoPhysics and character.Humanoid.MoveDirection.Magnitude > 0 then
			
			running = true
				
			oldWalkSpeed[player.Name] = character.Humanoid.WalkSpeed
			
			character.Humanoid.WalkSpeed = character.Humanoid.WalkSpeed * speedModifier
			
			for i = 70, 75, 1 do
				if running == true then
					game.Workspace.Camera.FieldOfView = i
					wait()
				else
					break
				end
				if i == 75 then
					break
				end
			end
		end
		wait(1.5)
		debounce = false
	end	 
end

end)

userInputService.InputEnded:Connect(function(input, gameProcessedEvent)
if gameProcessedEvent then return end
if input.KeyCode == Enum.KeyCode.LeftShift then
if running == true then
running = false

		character.Humanoid.WalkSpeed = oldWalkSpeed[player.Name]
		oldWalkSpeed[player.Name] = nil
		
		for i = 75, 70, -1 do
			if running == false then
				game.Workspace.Camera.FieldOfView = i
				wait()
			else
				break
			end
			if i == 70 then
				break
			end
		end
	end	
end

end)

runService.Heartbeat:Connect(function()
if running == true then
if currentStamina >= sprintCost then
currentStamina = currentStamina - (sprintCost)
mainFrame.Bar.Size = UDim2.new( (currentStamina / Stamina),0,1,0)
else
if currentStamina <= sprintCost or currentStamina == 0 then
currentStamina = 0
mainFrame.Bar.Size = UDim2.new( (currentStamina / Stamina),0,1,0)
character.Humanoid.WalkSpeed = oldWalkSpeed[player.Name]
oldWalkSpeed[player.Name] = nil

				running = false
				
				for i = 75, 70, -1 do
					if running == false then
						game.Workspace.Camera.FieldOfView = i
						wait()
					else
						break
					end
					if i == 70 then
						break
					end
				end
			end
		end
	end
	
if running == false then
	wait(1)
	currentStamina = currentStamina + (sprintCost / 2)
	mainFrame.Bar.Size = UDim2.new( (currentStamina / Stamina),0,1,0)
	if currentStamina >= Stamina then
		currentStamina = Stamina
		mainFrame.Bar.Size = UDim2.new( (currentStamina / Stamina),0,1,0)
	end	
end

end)

My Main Questions

Can this be exploited?
If yes, then how can a hacker hack it and how can I fix it?

I am fairly new to Lua so I’m trying to learn the basics, please keep that in mind.

Thanks in advance

sjr04 · April 17, 2020, 10:19pm

That is why you should handle the stamina on the server. An exploiter can just change the variables. You can use a IntValue / NumberValue instead and change it on server only. And finally,

Don’t use a loop for something events can do, more efficiently. Using what I suggested you can use the Changed event

HARD_PHASER · April 17, 2020, 10:36pm

Oh ok thanks. Will keep that in mind.

RequiredModule · April 17, 2020, 11:06pm

Anything that you don’t want to be exploited should be handled on the server. All checks and values should be on the server. The client should only handle the visible things such as displaying information on UI’s.

RequiredModule · April 17, 2020, 11:07pm

Also, I have a stamina system I made on my own game, I am willing to share some code with you if you’d like.

HARD_PHASER · April 17, 2020, 11:31pm

Thank you for the feedback and knowledge, I’m going to remake my stamina system anti-exploitative now. Yes, sure I would like to see your code as well too. here is my discord: Sd17#0192

unix_system · April 18, 2020, 12:05am

This code would be better suited to #help-and-feedback:code-review

Also - your code blocks are c̴̰̈u̴̢͌ṟ̵̌s̶͔̒e̷̼͆ḍ̵͠, please review it to make sure that it is tagged with lua, and fully encompasses the correct code blocks (there are portions inside and outside of your code blocks). The way to highlight lua is to add this at the start of your code:

```lua

RequiredModule · April 18, 2020, 2:48am

Sorry for the late reply, I added you on Discord.

HARD_PHASER · April 18, 2020, 4:56am

Oh I didn’t know that, thank you for the tip.

SilvRHat · April 18, 2020, 5:21am

Your code isn’t connected to any remote events or functions, so it can’t be exploited into tricking the server to do anything bad.
The only threat I can see is that a player would be able to run as fast as they like wherever they like. This would require a hacker gaining access to manipulating local scripts/ local script logic, because character walkspeeds are replicated from client to server.
If you want to prevent this have the server keep track of when a player should have a higher speed than normal and perform server checks.

HARD_PHASER · April 18, 2020, 5:24am

I just realized all this few hours ago, I’m remaking an anti-exploitative sprinting system now. Thanks for replying.