Trezor and chip maker Tropic Square have publicly disclosed a hardware vulnerability in the TROPIC01 secure element after independent researchers from Ledger Donjon—Ledger’s white‑hat security team—found an exploit during a lab audit. Despite the flaw, Trezor says the Safe 7 wallet and user funds remain secure.
What was found
- Ledger Donjon told Tropic Square in January 2026 that it had performed a laser fault‑injection attack on the TROPIC01 chip under controlled lab conditions. The attack let researchers extract some chip secrets and bypass firmware signature checks.
- Tropic Square later identified an additional exploitation technique that could expose another secret tied to PIN‑related functions on the chip.
- Because this is a hardware‑level issue, it can’t be fixed with a standard remote firmware update.
Why your funds are safe
- Trezor says the vulnerability affects only one of three independent security layers in the Safe 7 device. The Safe 7’s architecture uses TROPIC01 alongside OPTIGA Trust M and an STM32U5 microcontroller to split responsibility for PIN checks, device authenticity and wallet creation.
- A compromise of TROPIC01 alone, Trezor and Tropic Square insist, does not give attackers access to PINs, wallets or funds. “Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,” CEO Matej Žák said.
- Trezor says users do not need to take any action.
Why this disclosure matters
- The public disclosure provides a rare, transparent look at rival security testing in the hardware‑wallet market. Ledger Donjon has previously audited Trezor devices and published research on physical attack vectors.
- Tropic Square positions TROPIC01 as an “open and auditable” secure element so researchers can inspect hardware that is often tested under NDA. This episode illustrates how open testing can uncover weaknesses before malicious actors do—and that device security depends on the full design, not just a single chip.
- Chip‑level vulnerabilities remain a key risk for custody devices; other recent reports have highlighted risks in devices using chips like the ESP32 and microcontrollers when physical attack surfaces are present.
Practical advice for users
- Buy hardware wallets from official channels.
- Keep firmware up to date.
- Store recovery phrases offline and protect them carefully.
- Avoid using devices that show signs of physical tampering.
Trezor and Tropic Square opted for public disclosure after reviewing Ledger Donjon’s findings. The incident underscores both the importance of independent audits and the layered‑security approach in modern hardware wallets.
Read more AI-generated news on: undefined/news
