Can "Run on server" be hacked?

I am building an RTS city management game. I have several cities and one is owned by a particular player (each city is an actor and has a variable of the player id that owns it). I want a player to set the tax rate for his/her city. Clicking on the HUD the player increases or decreases the tax rate but I want this to happen only for their city. I have made on the UI the proper checks to verify a user’s identity but the final step involves updating the City tax rate variable on the server.

I use “run on server” custom event on player controller. This one sets the new tax rate for the city. Its inputs are the new tax rate and the city. I wonder if the approach is safe? Given that the event exists on the player controller, is this safe? Or is there another way for communicating from the PlayerController → Server and its variables?

There must be a more elegant way of transferring a new variable value on an actor on the server.

If you do your checks on server as well, it should be safe, but ofc, nothing is totally safe.

Thank you CriErr. Is the way that approached it at least proper?

HUD-> Controller → Run on Server

The extra step that I thought is to do:

HUD-> Controller → Run on Server → Cast gamemode → call event on gamemode

At least whatever is within the custom event on gamemode is safe but the parameters passed can still be hacked I guess.

To me run on server looks unsafe. It resides on the player controller and if memory values are hacked they could be called on to the server. Perhaps I am missing something.

Everything coming from client can be hacked, so on server you sanitize all inputs. If security is big concern, mb you should hash some data as well.

My main concern is someone using this remote calls to attempt and masquerade as another user. I figured out a solution. I am feeding in all these remote calls the machine id. When the game starts, I keep a list on gamemode of all machine ids and player controller, pawns etc. When remote calls happen I can verify within the gamemode that the machine id matches the player. The potential hacker can still change the machine id but guessing some other user’s machine id is virtually impossible.

If your transfer object which do remote call from client to server, exist only on owner client and server, i highly doubt someone from another client could get ue4 serial number for that object and mimic networking for it.

Also as a tip, if you doing any serial IDs which should be private, you should generate them randomly, check is that id in use, if not assign them and add to full list.