Slow Fog claims NOFX AI automatic trading system has a serious vulnerability that needs to be upgraded as soon as possible

The Slow Mist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious authentication vulnerabilities. They pointed out that the system has a "zero authentication" mode in its default configuration, with the admin mode enabled directly, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain complete API keys and private keys. Although JWT has been added in the "authorization required" mode, the default jwt_secret still exists, and if the environment variable is not set, it will revert to the default key. Furthermore, in this mode, sensitive fields are still output in raw JSON, meaning that if the token is forged or stolen, it can also lead to key leakage.

Slow Mist stated that as of now, they have identified over a thousand publicly deployed instances using vulnerable configurations and have coordinated with the security teams of Binance and OKX to complete the relevant credential replacements. The team reminds all users to upgrade their systems immediately, especially those running bots on Aster or Hyperliquid should check their settings as soon as possible.