SlowMist reports that NOFX's AI-powered automated trading system has been found to have serious vulnerabilities and requires immediate upgrades.

According to Mars Finance, the SlowMist security team recently analyzed NOFX AI, an open-source automated futures trading system based on DeepSeek/Qwen, and discovered several serious authentication vulnerabilities. They pointed out that the system has a "zero-authentication" mode in its default configuration, with administrator mode directly enabled, allowing all requests to pass without verification. Attackers can access `/api/exchanges` and obtain the complete API key and private key. While JWT is added in the "authorized" mode, the default `jwt_secret` still exists, and if the environment variable is not set, it will revert to the default key. Furthermore, sensitive fields in this mode are still output as raw JSON; if the token is forged or stolen, it will also lead to key leakage. SlowMist stated that it has identified over a thousand publicly deployed instances using this vulnerable configuration and has coordinated with the Binance and OKX security teams to replace the relevant credentials. The team urges all users to upgrade their systems immediately, especially those running bots on Aster or Hyperliquid, to check their settings as soon as possible.