A few tips:
- Don’t trust what ever data comes from the client (i.e. a transaction saying x receives 100m).
- Be aware of
TriggerServerEventandTriggerEvent, this can be called by anyone at anytime with any arguments. Especially dangerous is the server varient, that can really screw over your server. - Use something like AntiCheese AntiCheat to prevent usage of destructive hacks that ruin servers. Also I would recommend PlayerTrust plugin, prevent people using throw away accounts
- Use Resource Scrambler, so people cannot easily invoke server events.
- Use common sense really.
Definitly, this is needs to be handled by the server. The thing is that you cannot trust the client, so make sure to check if player has the funds, get removed from his bank account and the receiver is existant.
Probably more things to check to prevent wonky/invalid/cheated transactions.
Of course they can, but be smart how you implement that on the server. Just don’t blindy assume what being sent to you (server) and do proper sanity checks.
I’d say try making a script trying to exploit it your self (just use a client side resource).
Heck, you could even use some kind of checksum hash to assure the transaction isn’t tampered with.
Anything that should not be tampered with, put on the server side. The only thing I see on the client, is updating the HUD of bank/cash balance, the rest should be calls to the server.
Find a good balance, ideally you want anything that can be abused on the server side of things. Having 5-10 more calls to the server is better than one call to the server and everything can be abused 