What causes a server trusting client-sent values?

The server applies positions, velocities, or damage numbers sent by the client without re-checking them, so a modified client can teleport, speed-hack, or deal arbitrary damage.

How do I catch this when it only happens for some players?

Capture it automatically from the player's device with the full stack trace, the device and OS, the build, and a breadcrumb trail of what they did. That turns a vague complaint into a specific, reproducible issue you can fix without owning the hardware it happens on.

How to Fix a Server Trusting Client-Sent Movement and Damage Values

Quick answer: Treat client messages as inputs (intent), simulate them on the server, and reject or clamp anything that violates movement speed, cooldowns, line-of-sight, or range limits.

Server authority only stops cheats if the server actually validates. Accepting a client's claimed position or damage is the same as no authority at all. Here is how to validate inputs instead of trusting outputs.

How to fix it

1. Accept intent, not results

Have clients send inputs (move direction, fire request) and let the server compute the resulting position and damage. Never apply a client-supplied final position or hit result directly to authoritative state.

2. Clamp against physical limits

Validate each input against max speed, ability cooldowns, ammo, and reachable distance since the last tick. Reject or clamp values outside those bounds and log the violation for cheat detection.

3. Verify hits server-side

For shots, re-run the raycast on the server (with lag compensation against the target's rewound position) rather than trusting the client's claimed hit. This closes aimbot and instant-kill exploits.

Catching the ones you can't reproduce

The hardest version of this to fix is the one you can't reproduce — it only happens on a player's hardware, OS, driver, or save state, under conditions that simply aren't present on your machine. A report that says “it crashed” or “it froze” gives you nothing to act on, so the bug survives release after release while quietly costing you players.

Automatic error capture closes that gap. Each failure arrives with its full stack trace, the device and OS, the build number, and a breadcrumb trail of what the player did right before it broke, so even a failure you have never seen becomes a specific, reproducible issue. Fold identical failures into one signature ranked by how many players each hits, and your worklist sorts itself worst-first instead of arriving as a stream of vague complaints.

This is where a tool like Bugnet earns its place. Its SDK captures every error automatically with the full stack trace plus device, OS, memory, build, and game-state context, folds duplicates into one grouped issue with an occurrence count, and ties each to the build it first appeared on — so you fix the problem that hurts the most players first and confirm it is gone when its signature disappears from the next release.

Most of the time the fix is small. Seeing the failure clearly is the part that actually costs you.