Slow Fog claims that the NOFX AI automated trading system has a serious vulnerability that needs to be upgraded as soon as possible.

According to Mars Finance, the Slow Mist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious verification vulnerabilities. It pointed out that the system has a “zero verification” mode under default configuration, with the admin mode directly enabled, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain complete API Secret Key and Private Key. Although JWT has been added in the “authorization required” mode, the default jwt_secret still exists, and if environment variables are not set, it will revert to the default key. Moreover, sensitive fields in this mode are still output in raw JSON, meaning that if tokens are forged or stolen, it will also lead to key leakage. Slow Mist stated that as of now, it has identified over k publicly deployed instances using vulnerable configurations and has coordinated with the security teams of Binance and OKX to complete relevant credential replacements. The team urges all users to upgrade their systems immediately, especially those running Bots on Aster or Hyperliquid should check their settings as soon as possible.