A security audit uncovered a vulnerability in a chip used by the Trezor Safe 7 hardware wallet, but the company says users’ cryptocurrency funds remain protected.
Quick Summary – TLDR:
- Trezor and Tropic Square disclosed a vulnerability affecting the TROPIC01 Secure Element chip used in the Trezor Safe 7.
- The flaw was discovered during an independent audit conducted by Ledger Donjon, the security research team at Ledger.
- Researchers demonstrated a laboratory based attack that could extract some chip secrets and bypass firmware signature verification.
- Trezor says the issue does not put user funds, wallets, private keys, or PINs at risk because of the wallet’s multi layer security design.
What Happened?
Trezor has disclosed a hardware level vulnerability in one of the security chips used inside its Safe 7 hardware wallet. The issue was discovered during an independent security review carried out by Ledger Donjon, the research division of rival hardware wallet maker Ledger.
While the vulnerability affects the TROPIC01 Secure Element chip, Trezor says the flaw cannot be used on its own to gain access to customer wallets or cryptocurrency holdings.
Tropic Square disclosed a vulnerability in the TROPIC01 Secure Element chip used in Trezor Safe 7. It has been identified based on findings from the Ledger Donjon team’s independent audit.
Important: Your funds remain safe and secure. Trezor Safe 7 has not been hacked, and you…
— Trezor (@Trezor) June 3, 2026
Security Audit Revealed a Sophisticated Chip Level Weakness
The vulnerability was uncovered after Tropic Square, a semiconductor company affiliated with Trezor, provided its TROPIC01 Secure Element chip to Ledger Donjon for independent testing. The audit was part of a broader effort to validate the security of the chip following its launch in early 2025.
According to the companies, Ledger Donjon informed Tropic Square in January 2026 that researchers had successfully performed a laser fault injection attack against the chip under controlled laboratory conditions. The attack allowed researchers to extract certain secrets stored within the chip and bypass firmware signature verification checks.
Following a review of the findings, Tropic Square engineers identified an additional exploitation method tied to the same underlying weakness. The second method could potentially expose another secret associated with PIN related functions within the chip.
Why User Funds Are Not at Risk?
Despite the disclosure, Trezor stressed that the vulnerability impacts only one part of the Safe 7’s overall security architecture.
The company explained that the Trezor Safe 7 was designed with three independent security layers. Alongside the TROPIC01 Secure Element, the wallet also relies on an OPTIGA Trust M chip and an STM32U5 microcontroller. These components work together to handle authentication, PIN verification, and wallet generation.
Because of this layered approach, compromising the TROPIC01 chip alone is not enough to gain access to a user’s PIN, private keys, wallet backups, or cryptocurrency assets.
Trezor further noted that exploiting the vulnerability would require:
- Physical possession of the device
- Specialized laboratory equipment
- Significant technical expertise
- Controlled testing conditions
The company also stated that there is currently no evidence that the vulnerability has ever been exploited in real world attacks.
No Action Required From Users
Trezor said customers do not need to take any action following the disclosure. Since the issue exists at the hardware level, it cannot be fixed through a conventional firmware update.
The company emphasized that its security design specifically aims to prevent a single component failure from compromising an entire wallet.
Trezor CEO Matej Žák said:
Industry Rivals Worked Together on the Disclosure
The disclosure offers a rare example of cooperation between two major competitors in the hardware wallet industry.
Trezor credited Ledger Donjon’s research team for helping identify the weakness and said transparent security research benefits the entire cryptocurrency ecosystem. Both companies agreed to publicly disclose the findings after reviewing the vulnerability and its potential impact.
The incident also highlights the growing importance of independent security audits as hardware wallet manufacturers face increasing scrutiny over the protection of digital assets.
SQ Magazine Takeaway
I think this disclosure is actually a positive sign for the crypto hardware wallet industry. Instead of hiding a security flaw, Trezor, Tropic Square, and Ledger openly discussed the issue and explained its real world impact.
The vulnerability sounds serious on paper, but the key takeaway is that user funds were never directly exposed. More importantly, the case shows why layered security matters. A single chip weakness did not translate into a wallet compromise, which is exactly how secure systems should be designed.
Click Here For The Original Source
