Trezor and the chip maker Tropic Square have disclosed a hardware vulnerability in the TROPIC01 secure element chip used in the Trezor Safe 7 wallet. The vulnerability was found during an independent audit by rival Ledger’s security research team, Donjon. So far, Trezor claims that user funds and private keys were not compromised. What did Ledger’s audit of Trezor reveal? Researchers from Ledger’s Donjon team, the security division of Trezor’s direct competitor, found a flaw in the TROPIC01 secure element chip during an audit. This chip is made by Tropic Square , Trezor’s sister company, and is billed as the first secure element chip with publicly available hardware design and firmware source code. The researchers used a high-tech method called laser fault injection. The researchers physically opened the chip package and then shot a precise infrared laser at the silicon to mess with the signature verification process. This allowed them to run their own unauthorized code on that specific chip. Tropic Square provided commercial chip samples to Donjon for evaluation, and the team reported the flaw in late January 2026. After receiving Donjon’s findings, Tropic Square’s own engineers found a related attack path that could extract an additional secret tied to the chip’s PIN protection functions. What can Tropic Square or Trezor do to secure users more? Due to the vulnerability being at the hardware level, it cannot be patched through a software update for existing Safe 7 devices, Trezor confirmed . Tropic Square said it is already producing a new chip batch that addresses the flaw, but users do not need to take any action. The company stressed that the Safe 7 uses three independent physical security layers, and the TROPIC01 chip is only one of them. Private keys and wallet backups are not stored on the affected chip. Exploiting the vulnerability also requires physical possession of the device, disassembly, backside decapsulation of the chip package, and access to specialized laser fault injection equipment. Blockchain security firm Cyvers said that the attack appears “highly impractical” for real-world use. “Hardware wallet security should not be evaluated only by whether a chip can eventually be attacked in a lab,” Cyvers CEO Deddy Lavid said. In his view, phishing , seed phrase theft, and blind-signing are far larger threats for most users. Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free .
