What vulnerability was found in the Trezor Safe 7 hardware wallet?

Researchers discovered a flaw in the TROPIC01 secure element chip used in the Trezor Safe 7. The vulnerability was identified during an independent audit and affects the chip itself rather than the entire wallet system.

Does the Trezor Safe 7 vulnerability put user funds at risk?

According to Trezor and Tropic Square, user funds are not at risk. The companies said compromising the TROPIC01 chip alone is insufficient to gain access to wallet assets, PINs, or private keys.

Who discovered the Trezor Safe 7 chip flaw?

The vulnerability was discovered by Ledger Donjon, the security research division of hardware wallet competitor Ledger. The finding came during an independent audit requested by Tropic Square following the chip's launch.

What is the TROPIC01 secure element?

TROPIC01 is a secure element chip designed to protect sensitive operations within the Trezor Safe 7 hardware wallet. Secure elements are specialised chips used to safeguard cryptographic secrets and improve wallet security.

How was the vulnerability exploited during testing?

Ledger Donjon researchers used a laser fault injection attack in laboratory conditions. The technique allowed them to extract certain chip-held secrets and bypass firmware signature verification mechanisms.

Do Trezor users need to take any action?

No. Trezor said users do not need to update devices, move funds, or change security settings. The company stated that the vulnerability cannot be exploited to access user funds under normal conditions.

Can Trezor fix the vulnerability through a firmware update?

No. Trezor said the issue exists at the hardware level, meaning it cannot be fixed remotely through a software or firmware update. However, the company maintains that existing security layers continue to protect users.

Why is this disclosure important for the crypto industry?

The disclosure provides a rare public look at how hardware wallet manufacturers handle security research and vulnerabilities. It also demonstrates the role independent security audits play in strengthening crypto custody products.

Image for illustrative purposes only. Not a real photo.

Trezor discloses chip flaw found by Ledger

Written by Jon CuthbertPublished Jun 4, 2026, 6:47 AM

Trezor and chipmaker Tropic Square disclosed a vulnerability in the TROPIC01 secure element used in the Trezor Safe 7 hardware wallet, saying the flaw does not compromise user funds because the chip alone cannot provide access to wallets or private assets.

The vulnerability was identified during an independent security audit conducted by Ledger Donjon, the research team of rival hardware wallet manufacturer Ledger, after Tropic Square submitted the chip for testing following its launch in early 2025.

“Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,”

Said Trezor Chief Executive Officer, Matej Žák.

According to the companies, Ledger researchers successfully carried out a laser fault injection attack under laboratory conditions that enabled the extraction of certain chip-held secrets and bypassed firmware signature verification mechanisms.

Tropic Square later identified an additional exploitation method related to PIN-associated functions and chose to publicly disclose the vulnerability alongside Ledger's findings while notifying partners including Trezor.

Trezor said users do not need to take any action because compromising the TROPIC01 chip alone is insufficient to access wallet data, PINs or stored funds, while noting that the hardware-level issue cannot be resolved through a remote firmware update.

The disclosure offers a rare public examination of hardware wallet security practices and follows previous independent research by Ledger Donjon into Trezor devices, as manufacturers continue strengthening defences against increasingly sophisticated physical attack techniques.