Hardware wallet company Trezor and chipmaker Tropic Square have disclosed a vulnerability in one of the secure elements used in Trezor Safe 7 hardware wallet, saying the flaw does not put user funds at risk because the chip alone cannot expose a wallet.
The vulnerability was identified during an independent security audit conducted by Ledger Donjon, the security research team at rival hardware wallet maker Ledger, according to a Trezor statement.
Tropic Square provided the affected TROPIC01 Secure Element chip to the Ledger Donjon team for an independent audit. The companies said compromising TROPIC01 alone would not be enough to access a user’s wallet, PIN or funds.
The disclosure offers a rare public look at how hardware wallet makers handle chip-level security flaws and highlights the growing role of independent researchers in testing crypto custody devices.
Flaw surfaced during independent security testing
According to Trezor, the vulnerability was discovered during an independent security review initiated by Tropic Square after the launch of its TROPIC01 secure element in early 2025.
Ledger’s Donjon informed Tropic Square in January 2026 that it had successfully carried out a laser fault injection attack against the chip, allowing researchers to extract some chip-held secrets and bypass firmware signature verification under lab conditions.
TROPIC01 is one of two secure elements in Trezor Safe 7, which launched in October 2025. Source: SatoshiLabs
After reviewing Ledger Donjon’s findings, Tropic Square engineers identified an additional method of exploiting the weakness that could expose another chip-held secret tied to PIN-related functions.
The company notified its partners, including Trezor, and opted to publicly disclose the vulnerability alongside Donjon’s research.
Related: ‘All DeFi unsafe’ claim sparks AI security debate after April hack surge
Trezor says users do not need to take any action
Trezor said users do not need to take any action following the disclosure, adding that the vulnerability does not affect funds stored on the device because compromising TROPIC01 alone is not enough to access the wallet, PIN or funds.
As the issue exists at the hardware level, it cannot be fixed through a remote firmware update.
“Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk,” Trezor CEO Matej Žák said.
Source: Trezor
Trezor noted that Ledger’s Donjon team has previously published independent security research on its devices, including a report on the Trezor Safe 3 that demonstrated an attack involving supply-chain-style physical interception, desoldering and modification of the device before it reached users.
The company responded publicly at the time and has continued hardening against such attack vectors, adding that it was not aware of any user funds being compromised.
“No Donjon research has identified a vulnerability in the Optiga secure element, and the STM32U5 used in the Safe 7 is a more recent microcontroller with no demonstrated fault-injection attack against it,” a spokesperson for Trezor told Cointelegraph.
Cointelegraph reached out to Ledger Donjon regarding audits of other secure elements used in Trezor hardware wallets, but had not received a response by publication.
Magazine: The legal battle over who can claim DeFi’s stolen millions
