How to Fix a Daily-Reward Exploit From Changing the Device Clock

A player sets their phone a day ahead, claims the daily reward, then repeats. Device time is attacker-controlled. Anchoring the cooldown to server time fixes the exploit.

How to fix it

1. Stamp claims with server time

When a reward is claimed, record the server timestamp and compute the next-claim eligibility on the server, not from the device clock.

2. Validate on the server

Reject a claim if the server says the cooldown has not elapsed, regardless of what the client reports the local time to be.

3. Detect clock tampering

Compare device time to server time on connect; a large forward jump can flag the account or simply fall back to server-time-only logic.

Catching the ones you can't reproduce

The hardest version of this to fix is the one you can't reproduce — it only happens on a player's hardware, OS, driver, or save state, under conditions that simply aren't present on your machine. A report that says “it crashed” or “it froze” gives you nothing to act on, so the bug survives release after release while quietly costing you players.

Automatic error capture closes that gap. Each failure arrives with its full stack trace, the device and OS, the build number, and a breadcrumb trail of what the player did right before it broke, so even a failure you have never seen becomes a specific, reproducible issue. Fold identical failures into one signature ranked by how many players each hits, and your worklist sorts itself worst-first instead of arriving as a stream of vague complaints.

This is where a tool like Bugnet earns its place. Its SDK captures every error automatically with the full stack trace plus device, OS, memory, build, and game-state context, folds duplicates into one grouped issue with an occurrence count, and ties each to the build it first appeared on — so you fix the problem that hurts the most players first and confirm it is gone when its signature disappears from the next release.