Before delving into this story, I need to clarify my role in this event.
I am an observer and analyst. During the peak of the Nofx project, I developed the nof0 project, inspired by nof1. Throughout the development process, I had communications with Nofx's core members, Tinkle and Zack, mainly about technical implementation and open-source collaboration.
It is important to note that my interactions with the Nofx team were solely technical exchanges with no commercial partnership. There was no direct contact with the ChainOpera AI (COAI) team. In writing this article, I have strived to maintain an objective and neutral position. All analyses and judgments are based on publicly available information, including GitHub records, social media posts, security reports, etc.
Timeline of Events:
• Late October 2025: Nofx project launched, quickly gaining nearly 9000 stars on GitHub in just 2 months.
• November 2025: Security vulnerability exposed, SlowMist issues a security advisory (Hacking Incident).
• December 2025: Open-source license dispute erupts (Open Source Dispute), while internal team rifts come to light (Internal Conflict).
The entire event lasted about 2 months but brought to light multiple contradictions within the Web3 open-source movement.
The purpose of writing this article is not to take sides or blame any party but rather to:
• Document a typical case of the Web3 open-source movement.
• Explore the deep-seated conflicts between open-source spirit and commercial interests.
• Provide reflection and reference for the future standardization of the industry.
Now, let's start untangling this intricate story from the beginning.
In late October 2025, an AI automated trading project named Nof1 went viral on Twitter. Within a few days, several open-source versions of it—including nof0, nofx, etc.—received thousands of stars on GitHub. Among them, the Nofx project, developed from late October and accumulating over 9000 stars by December, became one of the most prominent open-source projects in the AI Trading field.
然而,僅僅兩個月後,這個明星項目陷入三重危機:
駭客門:區塊鏈安全公司 SlowMist 披露,Nofx 存在嚴重安全漏洞,導致全網 1000 多個部署實例的用戶交易所 API 金鑰、私鑰、錢包地址完全暴露。Binance、OKX 等主流交易所緊急介入,協助受影響用戶更換憑證
內鬥門:項目核心成員 Tinkle 公開指控另一位共同創始人 Zack 僅參與 14 天、貢獻幾行程式碼「卻索要 50% 股權和 50 萬美元。Zack 則通過律師發出正式法律文件,指控 Tinkle「侵吞資產、利益輸送,並提供了顯示雙方各持 50% 股權的合夥企業註冊文件
開源門:Nofx 公開指控融資 1700 萬美元的 ChainOpera AI(COAI)違反 AGPL 開源協議,在未開源的情況下使用其程式碼部署商業產品。COAI 則反駁稱,Nofx 在 11 月 3 日仍是 MIT 協議,11 月 4 日才改為 AGPL,且其產品使用 Python 開發,與 Nofx 的 Go 實現完全不同
一個社群熱捧的開源項目,為何會在短短兩個月內陷入如此複雜的多重危機?這背後暴露了開源社群、創業團隊、投資生態的哪些系統性問題?讓我們通過五個關鍵問題,深入剖析這場風波
MIT 與 AGPL:兩種截然不同的開源哲學
在討論 Nofx 與 COAI 的協議爭端之前,我們需要理解兩種開源協議的根本差異:
MIT License(麻省理工學院許可證)是最寬鬆的開源協議之一。它允許:
• 自由使用、修改、分發程式碼
• 用於商業目的無需開源
• 唯一要求:保留原作者版權聲明
AGPL v3.0(GNU Affero 通用公共許可證)則是最嚴格的開源協議之一。它要求:
• 任何使用該程式碼的專案必須同樣開源
• 特別地,即使通過網路提供服務(如 SaaS),也必須公開原始碼
• 必須在明顯位置標註原專案資訊
從 MIT 到 AGPL,是從「極度寬鬆」到「極度嚴格」的 180 度轉變。這也是本次爭議的核心。
協議變更與時間爭議
Nofx 專案的開源協議從 MIT 變更為 AGPL,但具體變更時間成為爭議焦點,這個時間點至關重要,因為它直接決定了 ChainOpera(COAI)團隊在 fork 程式碼時應當遵守的協議。
雙方證據對比:
• Nofx 團隊
