AFAIK "cheaters" are just people who used Javascript to defeat the client-side validation and try to click the button more than once. Those extra clicks get caught by additional server-side checks.

really? How would you detect a clientside script like this?

    function validateClickEvent(e) {
        var r = e.target.getBoundingClientRect();
        if (e.x >= r.left && e.x <= r.right && e.y >= r.top && e.y <= r.bottom) {
            console.log('looks legit');
        } else {
            console.log('faked click');
        }
    }

Set this as the click handler. The click method is browser specific, but on Chrome the x/y coordinates on the event will be incorrect. A smarter script could fool this, though.

I don't know much javascript, but that looks extremely error prone to me. How would it behave in different monitor sizes? With zoomed in/out screens? On mobiles, tablets, etc?

And it would still be pretty easy for a cheating script to work cheat your validation!

It's just an example, but zoom should scale both the element coordinates and the mouse coordinates. This sort of validation can be made a lot more elaborate.

thebutton.dispatchEvent( new MouseEvent('click', {clientX:(r.left+r.right)/2, clientY:(r.top+r.bottom)/2}));

Or something along those lines!! :)

They could make their own implementation of setInterval and report you as a cheater when you use it.