James Ding
Jun 03, 2026 11:23
Ledger Donjon exposed a flaw in TROPIC01 chip used by Trezor Safe 7. Trezor assures user funds remain safe due to multi-layer security.
An independent security audit by Ledger Donjon has uncovered a vulnerability in the TROPIC01 secure element chip used in Trezor’s Safe 7 hardware wallet. Despite the flaw, Trezor has assured users that funds remain secure due to the device’s multi-layered security architecture.
The TROPIC01 chip, developed by Tropic Square (a SatoshiLabs subsidiary), is a key component of the Safe 7 wallet, which launched in October 2025. It is designed for hardware-enforced PIN protection, device authenticity verification, and cryptographic random number generation. The vulnerability was discovered during a laser fault injection attack conducted under lab conditions earlier this year, Ledger’s Donjon team confirmed.
Multiple Security Layers Mitigate Threat
Trezor emphasized that the vulnerability, which bypassed firmware signature verification, does not jeopardize user funds. “Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,” said Trezor CEO Matej Žák.
The Safe 7 employs two secure elements, including an EAL6+ chip, which acts as an additional safeguard against hardware attacks. This dual-chip architecture reduces the likelihood of a single-point-of-failure scenario, a design choice Trezor has highlighted as critical for user security.
Open Architecture: Transparency vs. Risk
The TROPIC01 chip, launched in February 2025, represents the industry’s first open-architecture secure element, according to Tropic Square. This transparency enables independent audits like the one conducted by Ledger Donjon but also increases the scrutiny of potential flaws. In a blog post, Tropic Square noted that the open model allows faster identification and patching of vulnerabilities, though hardware issues like the one disclosed cannot be fixed remotely.
The flaw also underscores the unique dynamic between hardware wallet manufacturers. While Ledger and Trezor are market competitors, Ledger’s Donjon team has consistently conducted independent audits on other wallets, including Trezor’s, to promote better overall security standards in the crypto custody space.
Historical Context and Industry Impact
This is not the first time Trezor devices have faced security scrutiny. In April 2026, CVE-2025-69893 detailed an information disclosure vulnerability linked to mnemonic processing in Trezor wallets. That issue was swiftly patched, highlighting Trezor’s proactive approach to mitigating risks. Notably, no confirmed large-scale fund losses have been tied to hardware-level exploits of Trezor devices; phishing and social engineering remain the primary attack vectors, according to recent reports.
For users, the takeaway is clear: while Trezor and Tropic Square’s disclosure reaffirms the importance of independent security testing, the layered architecture of the Safe 7 appears to provide sufficient protection against real-world exploitation. Trezor has not recommended any additional user actions at this time.
Market Implications
The hardware wallet market continues to evolve, with security being a critical factor for users managing significant crypto holdings. Trezor’s handling of the TROPIC01 flaw may strengthen its reputation for transparency but could also raise questions about the inherent risks of open-architecture components. For now, competitors like Ledger may gain a temporary edge among cautious users, but the absence of actual fund losses minimizes immediate fallout.
As the crypto industry grows, expect further collaboration—and competition—between wallet makers in identifying and addressing security vulnerabilities. For existing Safe 7 users, the message remains consistent: user funds are reportedly safe, and the device’s multi-layer defense systems appear to be working as intended.
Image source: Shutterstock
Be the first to comment