Best crypto insights delivered straight to your inbox.
Ledger researchers find chip flaw in Trezor Safe 7, but user funds not at risk
- Ledger’s Donjon security team used laser fault injection to bypass signature verification on the TROPIC01 chip inside Trezor’s Safe 7 hardware wallet.
- Tropic Square found a related attack that could extract an additional PIN-related secret.
- Trezor says user funds and private keys are not at risk because the chip is only one of three independent security layers.
Trezor and the chip maker Tropic Square have disclosed a hardware vulnerability in the TROPIC01 secure element chip used in the Trezor Safe 7 wallet.
The vulnerability was found during an independent audit by rival Ledger’s security research team, Donjon. So far, Trezor claims that user funds and private keys were not compromised.
What did Ledger’s audit of Trezor reveal?
Researchers from Ledger’s Donjon team, the security division of Trezor’s direct competitor, found a flaw in the TROPIC01 secure element chip during an audit. This chip is made by Tropic Square, Trezor’s sister company, and is billed as the first secure element chip with publicly available hardware design and firmware source code.
The researchers used a high-tech method called laser fault injection. The researchers physically opened the chip package and then shot a precise infrared laser at the silicon to mess with the signature verification process. This allowed them to run their own unauthorized code on that specific chip.
Tropic Square provided commercial chip samples to Donjon for evaluation, and the team reported the flaw in late January 2026.
After receiving Donjon’s findings, Tropic Square’s own engineers found a related attack path that could extract an additional secret tied to the chip’s PIN protection functions.
What can Tropic Square or Trezor do to secure users more?
Due to the vulnerability being at the hardware level, it cannot be patched through a software update for existing Safe 7 devices, Trezor confirmed. Tropic Square said it is already producing a new chip batch that addresses the flaw, but users do not need to take any action.
The company stressed that the Safe 7 uses three independent physical security layers, and the TROPIC01 chip is only one of them. Private keys and wallet backups are not stored on the affected chip.
Exploiting the vulnerability also requires physical possession of the device, disassembly, backside decapsulation of the chip package, and access to specialized laser fault injection equipment.
Blockchain security firm Cyvers said that the attack appears “highly impractical” for real-world use. “Hardware wallet security should not be evaluated only by whether a chip can eventually be attacked in a lab,” Cyvers CEO Deddy Lavid said. In his view, phishing, seed phrase theft, and blind-signing are far larger threats for most users.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
Is the Trezor Safe 7 hacked?
No. The vulnerability affects only the TROPIC01 secure element chip, one of three physical security layers in the device, and does not give an attacker access to private keys, wallet backups, or the user PIN, according to Trezor.
Do Trezor Safe 7 owners need to do anything?
Trezor says no action is required. The attack demands physical possession, disassembly, and expensive lab equipment, and no real-world exploitation has been reported.
Can the vulnerability be fixed with a software update?
No. Because the flaw is at the hardware level, existing Safe 7 devices cannot be patched remotely. Tropic Square said it is manufacturing a new batch of TROPIC01 chips that fixes the issue.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)