Trezor says funds safe after Ledger Donjon finds flaw in TROPIC01 chip used in Safe 7
Trezor and chip-maker Tropic Square have publicly disclosed a hardware-level vulnerability in the TROPIC01 secure element after an independent audit by Ledger Donjon — Ledger’s white-hat security research team. Despite the finding, Trezor says the Safe 7 hardware wallet and user funds remain secure.
What was found
- In January 2026, Ledger Donjon performed a lab-based laser fault injection attack on the TROPIC01 chip. The team was able to extract some chip secrets and bypass firmware signature checks under controlled conditions.
- Tropic Square later discovered an additional exploitation method using the same underlying weakness that could expose another secret tied to PIN-related chip functions.
- The vulnerability affects the TROPIC01 secure element itself — one part of the Safe 7’s security stack — and sits at the hardware level, so it cannot be remediated via a standard over-the-air firmware update.
Why users aren’t at immediate risk
- Trezor’s Safe 7 was designed with layered security. The device combines three independent components — TROPIC01, Infineon’s OPTIGA Trust M, and an STM32U5 microcontroller — to handle PIN checks, device authenticity and wallet creation.
- Trezor says a compromise of TROPIC01 alone “does not give access to a user’s PIN, wallet or funds.” Matej Žák, Trezor’s CEO, emphasized that the multi-layer architecture keeps funds safe and that customers do not need to take action at this time.
- Trezor and Tropic Square opted for public disclosure after reviewing Ledger Donjon’s findings, despite the issue being a hardware-level problem.
Broader context
- The disclosure offers a rare public look at cross-company security testing in the hardware wallet space. Ledger Donjon has previously published research on physical attack vectors against Trezor devices and other wallets.
- Earlier reporting has flagged physical attack risks tied to microcontrollers and raised concerns about some wallets using ESP32 chips, underscoring that chip-level flaws remain a critical security concern for crypto custody devices.
- Tropic Square positions TROPIC01 as an “open and auditable” secure element, intended to let researchers inspect and test hardware that would otherwise be locked behind NDAs. This episode highlights the value of open testing — it can surface weaknesses before malicious actors exploit them — and also shows that single-chip security is only one part of a device’s overall safety.
What users should do
- Trezor’s current guidance is straightforward: buy devices from official channels, keep firmware up to date, store recovery phrases offline, and avoid using wallets that show signs of tampering.
- Because the issue is hardware-level, affected devices would require hardware replacement or redesign to eliminate the chip vulnerability, not just a firmware patch.
Bottom line: The TROPIC01 flaw is a meaningful hardware finding, but the Safe 7’s multi-chip design means Trezor believes user funds remain protected. The case underlines the importance of layered security and independent audits in the hardware wallet ecosystem.
Read more AI-generated news on: undefined/news
