SlowMist Reports Critical Vulnerability in NOFX AI Automated Trading System, Urges Immediate Upgrade

According to ChainCatcher, the SlowMist security team recently analyzed the open-source automated futures trading system NOFX AI, which is based on DeepSeek/Qwen, and discovered multiple critical authentication vulnerabilities. They pointed out that the system has a "zero authentication" mode enabled by default, where the administrator mode is directly activated, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain the complete API key and private key. In the "authorization required" mode, although JWT is added, the default jwt_secret still exists, and if the environment variable is not set, it will revert to the default key. In addition, in this mode, sensitive fields are still output as raw JSON, so if the token is forged or stolen, it will also lead to key leakage.

SlowMist stated that so far, they have identified over a thousand publicly deployed instances using vulnerable configurations and have coordinated with a certain exchange's security team to complete the replacement of related credentials. The team reminds all users to upgrade their systems immediately, especially those running bots on Aster or Hyperliquid, who should check their settings as soon as possible.