In today’s crypto update, hardware wallet security has come under fresh scrutiny after Ledger researchers disclosed a vulnerability in the chip used by the Trezor Safe 7. Despite the discovery, Trezor has assured users that their funds remain secure and that the issue does not pose an immediate risk to customer assets.
Ledger Identifies Vulnerability in Safe 7 Chip
Ledger’s Donjon security research team has disclosed a hardware vulnerability in the TROPIC01 chip used inside the Safe 7 wallet from rival Trezor. The researchers demonstrated a lab-based laser attack that bypassed the chip’s firmware verification system.
The issue was uncovered during an analysis of the Trezor Safe 7 hardware wallet. According to Ledger, the vulnerability exists within the chip itself rather than in Trezor’s software or wallet architecture. Ledger explained that an attacker with physical access to the device and advanced technical capabilities could potentially exploit the weakness. The research focused on hardware-level security and highlighted risks arising from third-party components integrated into crypto wallets.
Further analysis uncovered additional concerns beyond Ledger’s original findings. In its own follow-up review, Tropic Square identified a separate attack path that could compromise the same MAC-and-Destroy security boundary, extending beyond the vulnerability disclosed by Ledger. The company revealed the flaw but withheld technical details to prevent potential abuse. Tropic Square said it plans to release a hardened silicon revision of the TROPIC01 chip in late 2026, with full technical disclosure of the vulnerability expected in spring 2027.
Trezor Responds to Security Concerns
Following the disclosure, Trezor moved quickly to reassure its community. Trezor reassured users that no funds are at risk and stressed that attackers can only execute the demonstrated exploit in highly controlled laboratory conditions using specialized equipment. The company stated that the vulnerability does not create a direct threat to customers under normal usage conditions. Trezor noted that exploiting the flaw would require physical possession of the device and advanced technical expertise.
Further, Trezor highlighted the limited real-world impact of the vulnerability. The company explained that the TROPIC01 chip represents just one of three independent security layers inside the Trezor Safe 7. According to Trezor, the chip does not store user funds, wallet backups, or private keys, placing clear limits on the practical danger posed by the disclosed attack.
The team also pointed to additional security protections that remained intact during testing. According to Trezor, Ledger’s researchers were unable to extract the chip’s hardware-backed secret storage during their initial testing window. The company noted that the mechanism, known as MAC-and-Destroy, underpins PIN verification and successfully resisted attempts to extract it.
Meanwhile, an immediate firmware-based mitigation is already available. Trezor explained that users can disable the chip’s MAINTENANCE mode, closing the attack’s primary entry point. The change forces attackers to rely on a significantly more complex multi-step exploit, further reducing the attack’s practicality in real-world scenarios.
However, the disclosure highlights the ongoing security race within the hardware wallet industry. As digital asset adoption grows, wallet providers continue investing in research, audits, and defensive technologies to counter increasingly sophisticated threats. The incident also shows how security disclosures can strengthen the broader crypto ecosystem by helping companies identify and address vulnerabilities before malicious actors can exploit them.
Josiah Oluwadare
