Foresight News|Nov 17, 2025 10:11
Slow Mist: NOFX AI Automated Trading System Has Serious Security Vulnerabilities, Users Need to Upgrade Immediately
According to Foresight News, the SlowMist security team has recently conducted security analysis on NOFX AI (an open-source automated futures trading system based on DeepSeek/Qwen) and discovered two major authentication issues in different submitted versions. Firstly, the system has a "zero authentication" mode, with administrator mode enabled by default. Middleware allows all requests to pass without verification, and anyone can access/app/exchanges and obtain complete API keys and private keys. \Secondly, JWT has been added to the 'authorization required' mode, but the default jwt_decret still exists. If no environment variables are set, the system will revert back to the default key. And/pai/exchanges still returns sensitive fields in raw JSON format. Therefore, even with this' secure 'version, once the token is forged or obtained, all keys will still be leaked. \According to SlowMist, as of mid November, over 1000 publicly deployed systems have been identified using vulnerable configurations and have promptly coordinated with Binance and OKX security teams to notify and replace users who leaked credentials. SlowMist recommends that all users running the system upgrade immediately to reduce potential risks. As of November 17th, all CEX users whose keys were leaked have been notified and revoked. Due to decentralized wallets, some Aster/Hyperliquid users may have difficulty contacting. If the user is running the robot on Aster/Hyperliquid, please check the settings immediately.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink