SlowMist has issued a critical warning regarding severe security vulnerabilities discovered within NOFX AI, an automated trading system built upon DeepSeek/Qwen. The investigation revealed that in several versions of the platform, attackers could gain access to private wallet keys and API credentials without any form of authentication. This presents a significant risk for users who have been operating NOFX for extended periods, raising concerns about the potential for unauthorized fund drainage.
System Flaws Expose Keys and Prompt Industry-Wide Response
SlowMist identified two primary issues contributing to the security breach. The first is a "zero-authentication" admin mode, which was enabled by default in some deployments. This mode allowed unauthorized individuals to query system endpoints and extract sensitive data. The second vulnerability stemmed from a weak JSON Web Token (JWT) setup that utilized a hardcoded secret. Even after attempted patches, the unchanged default secret enabled attackers to forge valid tokens. SlowMist estimates that over 1,000 public deployments may have been compromised due to these oversights.
Following the confirmation of these vulnerabilities, SlowMist collaborated with major exchanges, including Binance and OKX, to assist in revoking compromised API keys and notifying affected users. While this process was relatively straightforward for centralized exchanges, decentralized platforms posed a greater challenge. Users operating on chains such as Aster or Hyperliquid were more difficult to reach. SlowMist strongly advises users of NOFX AI in decentralized environments to reset their keys immediately before resuming any activity.
To mitigate the risk of further breaches, SlowMist has provided several urgent recommendations. Users are advised to disable admin mode, replace the default JWT secret with a strong, unique one, and limit the sensitive information returned by endpoints, particularly preventing them from directly exposing private keys. SlowMist cautions that until NOFX developers implement comprehensive structural fixes, any publicly accessible NOFX AI deployment should be considered high-risk and handled with extreme vigilance.