Anti-cheat in a browser arcade: how VoltCade leaderboards stay honest

Leaderboards are the soul of an arcade. They're also a giant target. Anyone running a leaderboard on the public web has dealt with the moment where a 999,999 score appears for a game that takes ten minutes to even reach 100,000. Once that happens, every legitimate player's effort is devalued, and the leaderboard stops feeling like a competition.

We've thought about this a lot for VoltCade. There is no silver bullet — every system can be defeated by a sufficiently motivated attacker — but the goal is to make casual cheating much more effort than just playing the game well. Here's the layered approach we use.

Layer one: signed session tokens

Before a game starts, the page asks the server for a session token. The server returns a short-lived signed token tied to that game and that user agent. The game embeds the token in its score submissions. If a submission arrives without a valid token, or with a token that's expired, or with a token that doesn't match the game it claims to be from, it gets rejected at the API.

This kills the simplest attacks: a script that POSTs a fake score directly to the score endpoint with no game session at all. It doesn't kill an attacker who automates the actual game inside a headless browser, but it raises the floor.

Layer two: per-game score and time bounds

Every game in our registry declares two numbers: a maximum possible score and a minimum session length. Both come from the registry, not the game client, so they can't be tampered with by modifying the game code in-browser. A score that exceeds the maximum, or that arrives in less time than the minimum, is rejected.

These bounds are purposely conservative. The minimum session for Meteor Dodge is five seconds — far less than a real run takes — but it's long enough that a bot rapid-firing fake submissions hits the wall. The maximum score is set above the realistic ceiling, but well below absurd. A 50-million-point Meteor Dodge run will be flagged before anyone sees it on the board.

Layer three: behavioral and pattern signals

After validation, the score gets cross-checked against patterns. Sudden improvement curves where a player goes from 5,000 to 500,000 in two submissions get flagged. Identical scores submitted in rapid succession from the same fingerprint get flagged. Submissions from sessions where pause/resume events are missing get flagged.

We don't share the full validator stack publicly, because the moment you do, attackers optimize against exactly the rules you published. The general principle: any score that "doesn't look like a human played it" gets a closer look before it appears on the board.

What we deliberately don't do

We don't require accounts. The whole platform is account-free, and we want to keep it that way. That removes one of the easiest anti-cheat hooks — banning by user ID — but the tradeoff is worth it. Asking every player to sign up just so we can ban a tiny fraction of cheaters degrades the experience for the 99% of legitimate players.

We also don't fingerprint aggressively. We collect just enough metadata to flag patterns; we don't correlate across the wider web. The privacy floor is more important than the marginal anti-cheat benefit.

When something slips through

Sometimes a fake score does land on a board. When that happens, the contact form is the fastest path — flag the entry, give us the game and timestamp, and we'll look at it. Most reports turn out to be legitimate runs by exceptional players, but the ones that aren't get removed and the patterns get fed back into the validator stack so the next attempt fails earlier.

The honest assessment

No system catches everything. A patient attacker running a real headless browser, simulating realistic input timing, and submitting at a believable rate will eventually beat any client-side defense. The goal isn't perfection — it's ratio. If we make casual cheating ten times more effort than getting good at the game, the population of players who would cheat for top-of-board placement shrinks dramatically. That's the system we have, and the leaderboards we're proud of are the result.