This minigame is a twist on the classic ‘Minesweeper’, where players start with a set balance. Each safe move increases this balance, while uncovering a mine ends the game and reset the balance back to the initial starting amount. The goal is to maximize gains without hitting any mines and cashing out. A golden crown can be hit to receive a special reward item.
7 Likes
you may want to secure this UI a bit better. A really cool concept but someone could edit output params and just cashout right away.
Check the server side where all the money adding logic etc. is. While it’s true that they can trigger that event with whatever params, it won’t do them any good since the player has to be inside the players table which is exclusively handled on the server-side. I think this is a pretty robust check but lmk what you’d recommend/suggest.
Nice share!! Thxnk you so much !!
nah i just edit the payout amount in the UI and then run the event it does the rest on the server side for me if you want we could jump in a call sometime and i can show u. Or if i get time later this week i could make a pr to fix it for ya. This thing is wicked though!! i can also give myself any item with this resource
Yeah I’d accept any PR that improves the resource, don’t really have time for a call though
But yeah I just don’t understand the vulnerability your describing. Assuming that the event triggering my minigame and also the AddPlayer export is sufficiently secured with distance checks or whatever, then I don’t understand how one might exploit my minigame.
if not IsPlayer(src) then print("Player with the ID: " .. src .. " and identifier " .. GetIdentifier(src) .. " tried to run the money event without being in the players table") return end**strong text**
Anyways, like I said happy to accept any PR and appreciate the nice comment 
EDIT: I suppose the only time the resource would be vunerable is AFTER the AddPlayer export is ran and then instead of finishing the minigame and then that triggering the NUICallback which in effect will trigger the server-side event, you’d forcefully trigger the dostuff event via an executor and pass whatever amount/item(s) you want.
1 Like
no in game you can change the params in the js the client has full access to the js at all times without any sort of cheats. If you are handling items the exports should be ran on the server side and the item name should be cached and never touched as well as locations of the mines those should also be server sided and checked in a callback with each click. If you want i can dm you the exploit explaination i just dont want to post it out there for the entire world to see because a lot of UI based resources faulter from this backdoor fivem has created.
1 Like
I’ll take a look, I appreciate the information. One of my first times working with JS in FiveM 
1 Like
The location of bombs and rewards should not be sent to the client, but saved on the server. The player clicks once and asks the server once.