Trezor and its chip partner Tropic Square have publicly disclosed a vulnerability in the TROPIC01 Secure Element chip, which is used in the Trezor Safe 7 hardware wallet. The flaw was discovered by Ledger Donjon, the white-hat research team of competitor Ledger, during an independent audit of the chip. Despite the finding, both companies emphasize that user funds on the Trezor Safe 7 remain completely secure.
The vulnerability was identified using laser fault injection techniques in a lab environment, which allowed researchers to extract some chip secrets and bypass firmware signature checks. However, Trezor notes that the Safe 7 wallet is built with three independent security layers: the TROPIC01 chip, an OPTIGA Trust M, and an STM32U5 microcontroller. These layers collectively protect PIN verification, device authenticity, and wallet creation. A compromise of the TROPIC01 alone does not grant access to a user’s PIN, wallet, or funds.
Tropic Square gave the chip to Ledger Donjon for testing, and the team reported the issue in January 2026. Tropic Square later found a secondary method to exploit the weakness, potentially exposing another secret tied to PIN-related chip functions. Because the flaw resides at the hardware level, it cannot be fixed via a firmware update. Nevertheless, Trezor and Tropic Square opted for full public disclosure after reviewing the findings.
Trezor CEO Matěj Žák stated, “Because the Trezor Safe 7 was built with multiple independent security layers, a vulnerability in TROPIC01 does not put user funds at risk.” The company advises users that no action is needed and to continue buying devices from official channels, keeping firmware updated, and safeguarding recovery phrases offline.
