Security/Exploit concers | Roblox Studio Community | Page 1

novel sun Jun 4, 2025, 2:10 PM

#

Hi, i am new to roblox coding and currently making a money + level/xp system
The system is close to be finished and i'm making the GUI part but i am not sure if what i made is safe against exploiters, can i have some reviews ?

I have RemoteEvents in ReplicatedStorage (UpdateGold / UpdateLevel) and these functions :

#

This is my DataManager, stored inside ServerScriptService

local DataManager = {}

local ServerScriptService = game:GetService("ServerScriptService")
local ExpTemplate = require(ServerScriptService.Data.ExpTemplate)

local ReplicatedStorage = game:GetService("ReplicatedStorage")
DataManager.Profiles = {}

function DataManager.AddGold(player: Player, amount: number)
    local profile = DataManager.Profiles[player]
    if profile then
        profile.Data.Inventory.Currencies.Gold += amount
        ReplicatedStorage.UpdateGold:FireClient(player, profile.Data.PlayerInfo.Currencies.Gold)
    end
end

function DataManager.AddXP(player: Player, amount: number)
    local profile = DataManager.Profiles[player]
    if profile then
        local Level = profile.Data.PlayerInfo.Level
        local currentExperience = profile.Data.PlayerInfo.XP
        local EF = (function(level) return math.round(ExpTemplate.Constant * (math.pow(Level, ExpTemplate.ExperienceScale))) end)
        
        if (currentExperience+amount) > EF(Level) then
            local LeftOverExp = (currentExperience+amount)-EF(Level)
            currentExperience = 0
            DataManager.AddXP(player, LeftOverExp)
            profile.Data.PlayerInfo.XP = currentExperience
            profile.Data.PlayerInfo.Level += 1
            
        elseif (currentExperience+amount) == EF(Level) then
            profile.Data.PlayerInfo.XP = currentExperience
            profile.Data.PlayerInfo.Level += 1
        else
            profile.Data.PlayerInfo.XP += amount
        end
        
        ReplicatedStorage.UpdateLevel:FireClient(player, profile.Data.PlayerInfo.XP, profile.Data.PlayerInfo.Level)
    end
end

return DataManager

#

This is how i initialize my data:

local function Initialize(player: Player, profile: typeof(PlayerStore:StartSessionAsync()))
    
    -- Leaderstats
    local leaderstats = Instance.new("Folder", player)
    leaderstats.Name = "leaderstats"

    local level = Instance.new("NumberValue")
    level.Name = "Level"
    level.Value = profile.Data.PlayerInfo.Level
    level.Parent = leaderstats

    local playerstats = Instance.new("Folder", player)
    playerstats.Name = "playerstats"

    local level = Instance.new("NumberValue")
    level.Name = "Level"
    level.Value = profile.Data.PlayerInfo.Level
    level.Parent = playerstats
    
    local exp = Instance.new("NumberValue")
    exp.Name = "XP"
    exp.Value = profile.Data.PlayerInfo.XP
    exp.Parent = playerstats
    

    local StatsTables = {"PlayerStats", "PvPInfo", "PSuccess", "Currencies"}
    for i,v in ipairs(StatsTables) do
        for key, v in pairs(profile.Data.PlayerInfo[v]) do
            if typeof(v) == "string" then
                local NewStringValue = Instance.new("StringValue")
                NewStringValue.Name = tostring(key)
                NewStringValue.Value = tostring(v)
                NewStringValue.Parent = playerstats
            elseif typeof(v) == "number" then
                local NewNumberValue = Instance.new("NumberValue")
                NewNumberValue.Name = tostring(key)
                NewNumberValue.Value = tonumber(v)
                NewNumberValue.Parent = playerstats
            elseif typeof(v) == "boolean" then
                local NewBoolValue = Instance.new("BoolValue")
                NewBoolValue.Name = tostring(key)
                NewBoolValue.Value = v
                NewBoolValue.Parent = playerstats
            end
        end
    end
    
    ReplicatedStorage.UpdateGold:FireClient(player, profile.Data.PlayerInfo.Currencies.Gold)
end

#

And this is how i show the values in my GUI :

local playerstats = game.Players.LocalPlayer:WaitForChild("playerstats")
local GoldValue = playerstats:WaitForChild("Gold")

script.Parent.GoldLBL.Text = tostring(GoldValue.Value)
GoldValue.Changed:Connect(function()
    script.Parent.GoldLBL.Text = tostring(GoldValue.Value)
end)

mint solstice Jun 4, 2025, 2:14 PM

#

novel sun This is my DataManager, stored inside ServerScriptService ```lua local DataManag...

Should be fine, I can only see you firing remote events from the server to the client, and you don't have any listeners for those events on the server side. So an exploiter could try to fire the RE, but it won't be received by anything. As for the rest, they can only make changes that change their display

novel sun Jun 4, 2025, 2:15 PM

#

mint solstice Should be fine, I can only see you firing remote events from the server to the c...

Alright so as example, even if they change like their level in playerstats it wont affect the real game as long as i dont have a remote that do client->server to "confirm" that change ?

mint solstice Jun 4, 2025, 2:16 PM

#

novel sun Alright so as example, even if they change like their level in playerstats it wo...

I mean, you can have remotes from client -> server, but they should mainly just handle inputs. Just act as if an exploiter can fire them whenever he wants, with whatever args he wants

#Security/Exploit concers