According to Mars Finance, the Slow Mist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious verification vulnerabilities. It pointed out that the system has a “zero verification” mode under default configuration, with the admin mode directly enabled, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain complete API Secret Key and Private Key. Although JWT has been added in the “authorization required” mode, the default jwt_secret still exists, and if environment variables are not set, it will revert to the default key. Moreover, sensitive fields in this mode are still output in raw JSON, meaning that if tokens are forged or stolen, it will also lead to key leakage. Slow Mist stated that as of now, it has identified over k publicly deployed instances using vulnerable configurations and has coordinated with the security teams of Binance and OKX to complete relevant credential replacements. The team urges all users to upgrade their systems immediately, especially those running Bots on Aster or Hyperliquid should check their settings as soon as possible.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
