Express
SlowMist Reports Serious Vulnerabilities in NOFX AI Automated Trading System, Urges Immediate Upgrade
Summary: The SlowMist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious authentication vulnerabilities. They pointed out that the system has a 'zero authentication' mode in the default configuration, with the admin mode directly enabled, allowing all requests to pass without verification, enabling attackers to access ...
The SlowMist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious authentication vulnerabilities. They pointed out that the system has a 'zero authentication' mode in the default configuration, with the admin mode directly enabled, allowing all requests to pass without verification, enabling attackers to access /api/exchanges and obtain complete API keys and private keys. Although JWT is added in the 'authorization required' mode, the default jwt_secret still exists, and if environment variables are not set, it will revert to the default key. In addition, sensitive fields are still output in the original JSON format in this mode, which can lead to key leakage if the token is forged or stolen. SlowMist stated that by mid-November, they had identified over a thousand publicly deployed instances using vulnerable configurations and had coordinated with the security teams of Binance and OKEx to complete the relevant credential replacement. The team reminds all users to upgrade the system immediately, especially users running robots on Aster or Hyperliquid should check their settings as soon as possible.
Tags:
Link: SlowMist Reports Serious Vulnerabilities in NOFX AI Automated Trading System, Urges Immediate Upgrade [Copy]
