What Was Found Inside The Trezor Safe 7? Ledger’s Donjon security research team disclosed a hardware vulnerability in the TROPIC01 chip used inside the Trezor Safe 7, showing that a lab-based
What Was Found Inside The Trezor Safe 7?
Ledger’s Donjon security research team disclosed a hardware vulnerability in the TROPIC01 chip used inside the Trezor Safe 7, showing that a lab-based laser attack could bypass the chip’s firmware verification system. Trezor said user funds were not compromised and that users do not need to take action. The attack required physical possession of the device, decapsulation of the chip, and a precisely calibrated 1064 nm laser to inject faults into the chip’s signature verification process during firmware updates and device boot. In practical terms, a highly equipped attacker could use the method to load unauthorized firmware onto the chip and then attempt to execute it through additional fault injection during boot. The researchers confirmed execution by modifying the chip to return “HACK” in its basic device identification response. Tropic Square, the maker of the TROPIC01 chip, said the vulnerability affects all production TROPIC01 chips currently in the field. The finding is important because hardware
wallets are marketed around physical custody and device-level security. A chip-level flaw does not automatically mean user funds are exposed, but it does show that secure elements remain subject to advanced lab attacks and require layered defenses rather than reliance on a single component.
Why Does Trezor Say User Funds Are Not At Risk?
Trezor said the TROPIC01 chip is only one part of the Safe 7’s security model. The device uses multiple independent security layers, and the affected chip does not store user funds, wallet backups, or private keys. The company’s argument is that compromising TROPIC01 alone is not enough to access a wallet. That distinction matters because hardware wallet risk depends not only on whether one chip can be attacked, but also on whether the attacker can move from that chip to the secrets needed to sign transactions or recover a wallet. Trezor CEO Matej Zak said the disclosure reflects the company’s security design. “The PIN, the wallet backup, and the keys to users' funds are never held on a single chip. That is by design,” he said. “I believe the open process by which this vulnerability was found, examined, and disclosed is the model the industry should hold itself to.” The vulnerability also has strict practical limits. The attack requires advanced equipment, direct physical access, chip-level manipulation, and lab conditions. It is not a remote exploit and does not allow an attacker to drain funds over the internet.
Investor Takeaway
The disclosure does not point to an immediate custody failure, but it raises the standard for hardware wallet due diligence. Investors should treat secure element design, independent audits, physical attack resistance, and layered key protection as core product risks, not technical extras.
What Did Tropic Square Find After The Initial Review?
Tropic Square conducted its own follow-up analysis after Ledger Donjon’s findings and identified an additional attack path affecting the chip’s MAC-and-Destroy security mechanism. That mechanism underpins PIN verification and hardware-backed secret storage. During Ledger Donjon’s initial testing window, the MAC-and-Destroy boundary resisted extraction attempts. Tropic Square’s later review found a separate method that could compromise that boundary, going beyond the initial disclosure. The company disclosed the existence of the vulnerability but withheld technical details until a hardened silicon revision is available. The hardened version of TROPIC01 is currently scheduled for late 2026, with fuller technical details expected in spring 2027. That timeline reflects a key limitation of hardware security: some flaws cannot be fully fixed through remote software patches because they are embedded in the chip design. An immediate mitigation is still available. Disabling MAINTENANCE mode on the chip closes the primary entry point used in the demonstrated attack and forces a more complex, multi-step exploit path. That reduces practical exposure while the chip maker works on a silicon-level revision.
What Does This Mean For The Hardware Wallet Market?
The disclosure gives the
crypto custody market a rare public look at how rival hardware wallet teams test each other’s devices and how chip makers manage coordinated vulnerability reporting. The process also shows why open review and adversarial testing matter for custody products that are trusted with
long-term crypto holdings. For Trezor, the main reputational test is whether users accept that a chip-level vulnerability can exist without creating fund-level exposure. The company’s defense depends on the Safe 7’s layered
design, where no single chip holds the PIN, backup, and wallet keys together. For Tropic Square, the issue is more direct. TROPIC01 is a security component, and the finding affects production chips already in the field. Even with limited practical risk, the company must show that the hardened revision can address both the firmware verification bypass and the additional MAC-and-Destroy attack path. For the wider market, the lesson is that hardware wallets should not be assessed by brand claims alone. The relevant questions are whether devices separate critical secrets, whether attacks require physical possession or can be performed remotely, whether independent researchers can test the design, and whether vendors disclose flaws clearly when they are found. The Safe 7 vulnerability does not appear to create an immediate fund-loss event. It does, however, reinforce a broader custody reality:
hardware wallet security is a layered engineering problem, and confidence depends on how well vendors handle flaws after they are discovered.
