Trezor and chip maker Tropic Square have publicly disclosed a hardware vulnerability in the TROPIC01 secure element after independent researchers from Ledger Donjon—Ledger’s white‑hat security team—found an exploit during a lab audit. Despite the flaw, Trezor says the Safe 7 wallet and user funds remain secure. What was found - Ledger Donjon told Tropic Square in January 2026 that it had performed a laser fault‑injection attack on the TROPIC01 chip under controlled lab conditions. The attack let researchers extract some chip secrets and bypass firmware signature checks. - Tropic Square later identified an additional exploitation technique that could expose another secret tied to PIN‑related functions on the chip. - Because this is a hardware‑level issue, it can’t be fixed with a standard remote firmware update. Why your funds are safe - Trezor says the vulnerability affects only one of three independent security layers in the Safe 7 device. The Safe 7’s architecture uses TROPIC01 alongside OPTIGA Trust M and an STM32U5 microcontroller to split responsibility for PIN checks, device authenticity and wallet creation. - A compromise of TROPIC01 alone, Trezor and Tropic Square insist, does not give attackers access to PINs, wallets or funds. “Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,” CEO Matej Žák said. - Trezor says users do not need to take any action. Why this disclosure matters - The public disclosure provides a rare, transparent look at rival security testing in the hardware‑wallet market. Ledger Donjon has previously audited Trezor devices and published research on physical attack vectors. - Tropic Square positions TROPIC01 as an “open and auditable” secure element so researchers can inspect hardware that is often tested under NDA. This episode illustrates how open testing can uncover weaknesses before malicious actors do—and that device security depends on the full design, not just a single chip. - Chip‑level vulnerabilities remain a key risk for custody devices; other recent reports have highlighted risks in devices using chips like the ESP32 and microcontrollers when physical attack surfaces are present. Practical advice for users - Buy hardware wallets from official channels. - Keep firmware up to date. - Store recovery phrases offline and protect them carefully. - Avoid using devices that show signs of physical tampering. Trezor and Tropic Square opted for public disclosure after reviewing Ledger Donjon’s findings. The incident underscores both the importance of independent audits and the layered‑security approach in modern hardware wallets.
Trezor Confirms TROPIC01 Chip Vulnerability, Safe 7 Funds Remain Secure
ChainGPTShare
Summary
Trezor confirmed a vulnerability news in the TROPIC01 chip used in Safe 7 wallets. Researchers from Ledger Donjon found a flaw exploitable via laser fault-injection attacks, allowing partial secret extraction and bypass of firmware checks. A security breach in PIN functions was later identified by Tropic Square. Trezor says user funds remain secure due to the wallet’s three-layer security model. The company advises no action but recommends firmware updates and purchases from official channels. The disclosure emphasizes the role of independent audits in hardware wallet security.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.