Hardware wallet company Trezor and chipmaker Tropic Square have disclosed a vulnerability in one of three independent security layers in the Trezor Safe 7 hardware wallet, saying the flaw does not put user funds at risk.
The vulnerability was identified during an independent security audit conducted by Ledger Donjon, the security research team at rival hardware wallet maker Ledger, according to a Trezor statement sent to Cointelegraph.
Tropic Square provided the affected TROPIC01 Secure Element chip to the Ledger Donjon team for an independent audit. Trezor said compromising TROPIC01 alone would not be enough to access a user’s wallet, PIN or funds because Safe 7 relies on multiple independent security layers, including another secure element.
The disclosure offers a rare public look at how hardware wallet makers handle chip-level security flaws and highlights the growing role of independent researchers in testing crypto custody devices.
Flaw surfaced during independent security testing
According to Trezor, the vulnerability was discovered during an independent security review initiated by Tropic Square after the launch of its TROPIC01 secure element in early 2025.
Ledger’s Donjon informed Tropic Square in January 2026 that it had successfully carried out a laser fault injection attack against the chip, allowing researchers to extract some chip-held secrets and bypass firmware signature verification under lab conditions.
TROPIC01 is one of two secure elements in Trezor Safe 7, which launched in October 2025. Source: SatoshiLabs
After reviewing Ledger Donjon’s findings, Tropic Square engineers identified an additional method of exploiting the weakness that could expose another chip-held secret tied to PIN-related functions.
The company notified its partners, including Trezor, and opted to publicly disclose the vulnerability alongside Donjon’s research.
Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge
Trezor says users do not need to take any action
Trezor said users do not need to take any action following the disclosure, adding that the vulnerability does not affect funds stored on the device because compromising TROPIC01 alone is not enough to access the wallet, PIN or funds.
As the issue exists at the hardware level, it cannot be fixed through a remote firmware update.
“Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,” Trezor CEO Matej Žák said.
Source: Trezor
Trezor noted that Ledger’s Donjon team has previously published independent security research on its devices, including a report on the Trezor Safe 3 that demonstrated an attack involving supply-chain-style physical interception, desoldering and modification of the device before it reached users.
The company responded publicly at the time and has continued hardening against such attack vectors, adding that it was not aware of any user funds being compromised.
Cointelegraph reached out to Trezor regarding audits of the other two chips used in the Safe 7, as well as chips in previous device iterations, but had not received a response by publication.
Magazine: The legal battle over who can claim DeFi’s stolen millions
Be the first to comment