SlowMist reports that the NOFXAI automated trading system has been found to have serious vulnerabilities and needs to be upgraded as soon as possible.

Odaily Planet Daily reports that the SlowMist security team recently analyzed NOFX AI, an open-source automated futures trading system based on DeepSeek/Qwen, and discovered several serious authentication vulnerabilities. They pointed out that the system has a "zero-authentication" mode in its default configuration, with administrator mode directly enabled, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain the complete API key and private key.

While JWT is added in "Authorization Required" mode, the default jwt_secret still exists. If the environment variable is not set, it will revert to the default key. Furthermore, sensitive fields in this mode are still output as raw JSON; if the token is forged or stolen, it will also lead to key leakage.

SlowMist stated that as of mid-November, it had identified over a thousand publicly deployed instances using vulnerable configurations and had coordinated with the Binance and OKX security teams to replace the relevant credentials. The team reminded all users to upgrade their systems immediately, especially those running bots on Aster or Hyperliquid, who should check their settings as soon as possible.