🚨SlowMist TI Alert: Security Analysis of the NOFX AI Automated Trading System🧵 1️⃣Recently, after receiving security intelligence from @Endlessss20, the SlowMist security team conducted an in-depth security analysis of @nofx_ai (https://t.co/zMDNHTBZeg), an open-source automated futures trading system built on DeepSeek/Qwen. 2️⃣Across different commits, we identified two major authentication issues: 🔹"Zero-auth" mode (Oct 31, commit 517d0c) -> Admin mode is enabled by default, and the middleware allows all requests to pass without verification. -> Anyone could hit /api/exchanges and get full API keys & private keys (api_key, secret_key, hyperliquid_wallet_addr and aster_private_key). 🔹"Requires Authorization" mode (Nov 5, commit be768d9) -> JWT added, but default jwt_secret remained. If env vars weren’t set, the system fell back to the default secret. -> And /api/exchanges still returned sensitive fields in raw JSON form. So even this “secured” version still leaked all keys once a token was forged or obtained. 3️⃣As of Nov 13, the dev branch HEAD still contains: 🔹The authMiddleware remains implemented as shown in api/server.go:1471–1511, still requiring a Bearer token. 🔹/api/exchanges continues to return the full ExchangeConfig directly (api/server.go:1009–1021). 🔹config.json.example:1–27 and main.go:198–226 still hard-code admin_mode=true and the default jwt_secret. 4️⃣During our internet-wide scan, SlowMist identified more than 1,000 publicly accessible deployments of this system running with default or vulnerable configurations — many of them inadvertently exposing user exchange credentials. 5️⃣Given the imminent risk, SlowMist immediately coordinated with the security teams at @binance and @okx. We provided intel; both teams independently performed cross-validation. Using the obtained API keys, they traced affected users → notified → rotated API keys, secret keys, and other credentials. This prevented potential wash trading attacks and protected user assets. 6️⃣As of Nov 17, all CEX users with exposed keys have been notified and revoked. Some Aster/Hyperliquid users are harder to reach due to wallet decentralization. If you run bots on Aster/Hyperliquid, check your setups now. We’ll also communicate the details of this vulnerability to the NOFX AI team and provide remediation advice. 7️⃣Our conclusion: 🔹Any deployment at 517d0caf or earlier = zero authentication → immediate upgrade required. 🔹Even updated versions remain exploitable if the default jwt_secret is used. 🔹origin/main is still at 517d0c, the “zero-auth” commit. To fully fix this system: 🔹Randomize JWT secret 🔹Disable default admin mode 🔹Reduce sensitive data returned by /api/exchanges Until that happens, any public deployment should be treated as high-risk. Special thanks to @Endlessss20 for the initial intel. This disclosure isn’t criticism — it’s risk reduction. SlowMist will continue collaborating with exchanges, developers, and the community to ensure the security of the ecosystem and users. 🌟Full analysis: https://t.co/ZcUUY55laP

Name & Symbol: Aster ($ASTER)
Address: 0x000ae314e2a2172a039b26378814c252734f556a

Please avoid accessing all the Puffer apps and social media; we are investigating the issue. @puffer_finance

Name & Symbol: PUFFER ($PUFFER)
Address: 0x87d00066cf131ff54b72b134a217d5401e5392b6