Cryptocurrency wallet manufacturer Trezor has disclosed a vulnerability found in the security chip used in its new Safe 7 device. Despite the discovery, the company has assured users that their crypto assets remain safe, no private keys or backups are at risk, and there is currently no action required from users.
Source and discovery of the vulnerability
The vulnerability affects the TROPIC01 security chip, developed by Tropic Square, a company affiliated with Trezor. According to Trezor, the issue was identified during an independent security review conducted by Donjon, Ledger’s well-known internal hardware security research team. Donjon researchers managed to bypass certain protective layers of the chip using specialized laboratory equipment.
Mini glossary: Donjon is a hardware security research team operating within Ledger. The group is recognized for conducting penetration tests involving physical attack scenarios on wallet chips.
Subsequently, Tropic Square identified a second, related weakness in the same chip. This issue could potentially expose additional information stored on the chip. However, Trezor has emphasized that the Safe 7 is designed with multiple security layers and is not solely dependent on a single component for its protection.
No direct risk to user funds
According to the company’s statement, the vulnerability does not grant attackers direct access to users’ crypto assets, private keys, or wallet backups. As a result, Trezor has reassured customers that their funds remain protected and that there is no need for users to take extra precautions at this time.
Trezor has clarified that the vulnerability does not compromise users’ crypto assets, private keys, or wallet backups, underscoring that the Safe 7 is protected by a layered security approach.
The company explained that for such an attack to be plausible, an attacker would need to obtain physical access to the device, possess advanced technical skills, and use costly laboratory equipment. To date, there is no evidence that the vulnerability has been exploited in real-world scenarios.
Transparency highlighted within the industry
Trezor CEO Matej Zak has expressed that the transparent process followed in identifying, investigating, and publicly disclosing the vulnerability should serve as a benchmark for the sector. This proactive approach has once again highlighted the importance of independent security audits and responsible disclosure practices among hardware wallet manufacturers.
Matej Zak described the open methodology adopted for uncovering, analyzing, and sharing details of the vulnerability as the standard model that the entire industry ought to embrace.
Trezor’s announcement has drawn clear boundaries around the scope of the incident, while reiterating that user funds remain safeguarded. According to company disclosures, the potential risk from the vulnerability appears limited only to highly technical, physical attack scenarios under very specific conditions.
