⚠The team behind this tool is not publicly identified. Treat with extra caution — anonymous authorship is a significant trust risk.

NOFX

Name: NOFX (D) — Security & Privacy Review
Item: NOFX
Rating: 1.4
Author: Limpid

AI Assistant

Overall score: 1.4Reviewed April 20, 2026

NOFX shipped with a zero-authentication admin mode that let anyone retrieve all exchange API keys and wallet private keys from a public endpoint. A partial patch left a hardcoded JWT secret. SlowMist found 1,000+ exposed deployments and coordinated emergency key rotation with Binance and OKX. The team is anonymous, there is no Privacy Policy or Terms of Service, the project has no formal releases, and it is in an active internal equity dispute.

Score Summary

Claim Accuracy2/5

Data & Privacy2/5

Security Posture1/5

Transparency1/5

Key Findings

›SlowMist (a leading blockchain security firm) disclosed on November 17, 2025 that NOFX shipped with admin mode enabled by default with no authentication, allowing anyone to send a public GET request to /api/exchanges and retrieve all stored exchange API keys, secret keys, Hyperliquid wallet addresses, and Aster DEX private keys in plaintext. SlowMist identified over 1,000 publicly deployed instances in this vulnerable state and coordinated emergency API key rotation with Binance and OKX security teams. As of Nov 13 2025 the dev HEAD still had the hardcoded default JWT secret that made the partial fix bypassable — source: https://slowmist.medium.com/threat-intelligence-analysis-of-the-nofx-ai-automated-trading-vulnerability-e4f4664ad1e6.
›The partial fix (Nov 5, commit be768d9) added JWT authentication but retained a publicly known default jwt_secret in config.json.example and main.go, and start.sh copied the example config when no config was present. This meant any attacker who knew the default secret could forge a valid JWT and continue reading all exchange credentials. The /api/exchanges endpoint still returned all sensitive fields in unmasked plain JSON — source: https://x.com/SlowMist_Team/status/1990360109931970607.
›The GitHub organization has no public members and nofxos.ai returns 403. The only known team identity is 'Tinkle' (primary developer), identified in a December 2025 internal dispute report — not on the official product site. In December 2025, a contributor known as 'Zack' claimed 50% ownership, took control of the project's Twitter account, and demanded 500,000 USDT. The team denied commercialisation rumours; Amber.ac denied any investment relationship — source: https://www.bitget.com/news/detail/12560605119717.
›No formal releases have been published — GitHub shows 'No releases published.' The project uses curl-piped installation from raw GitHub URLs and recommends running the same curl command daily to auto-update. The README actively embeds affiliate referral codes for all nine supported exchanges without disclosure — source: https://github.com/NoFxAiOS/nofx.
›No Privacy Policy or Terms of Service exist. DISCLAIMER.md is present with a risk warning. SECURITY.md exists with a responsible disclosure process. The license is AGPL-3.0, not MIT — commercial use and SaaS distribution without open-sourcing modifications are restricted — source: https://github.com/NoFxAiOS/nofx.