Trezor Chip Flaw Found by Ledger – Crypto Holdings Secure

TROPIC01 Chip Vulnerability Disclosed by Trezor After Ledger Audit

Hardware wallet maker Trezor disclosed a security flaw in the TROPIC01 chip used in its new Safe 7 device. The vulnerability was uncovered during an independent audit by Ledger's security research team Donjon, according to an emailed announcement Wednesday.

Donjon used specialized laboratory equipment to bypass some of the chip's protections. Tropic Square, a sister company to Trezor that developed the TROPIC01 chip, later identified a related weakness that could expose additional stored information. Trezor stated that the vulnerability does not give attackers access to users' crypto holdings, private keys or wallet backups. The Safe 7 relies on multiple layers of security rather than a single chip.

An attacker would need physical possession of a device, expensive lab equipment and advanced technical expertise to attempt the attack. Trezor said there is no evidence the flaw has been exploited in the real world. No user action or firmware update is required.

Rivals Collaborate on Security Disclosure

The disclosure stems from a collaboration between two of the hardware wallet industry's biggest competitors. Trezor said Ledger's findings helped identify the vulnerability. The two companies worked together on the disclosure process. “I believe the open process by which this vulnerability was found, examined, and disclosed is the model the industry should hold itself to,” Matej Žák, CEO of Trezor, said in the announcement.

This is a rare instance of a direct rival contributing to a security fix. Ledger's Donjon team, known for deep hardware reverse-engineering, could have kept the finding private. Instead, they reported it and coordinated the public disclosure. The event signals that the hardware wallet industry is moving toward shared security standards rather than relying on obscurity.

Sector Read-Through: Hardware Audit Transparency Becomes a Standard

The TROPIC01 flaw and its disclosure by a rival's team underscore a broader shift in the hardware wallet sector. Security audits are no longer just internal QA exercises. They are becoming a visible part of product differentiation, especially as Ledger and Trezor compete for the same security-conscious users.

Tropic Square, the chip designer, now faces closer scrutiny. Any similar chips in development may undergo more rigorous third-party testing before inclusion in future wallets. Other hardware wallet makers that use third-party security chips – such as those from STMicroelectronics or NXP – may now feel pressure to commission their own Donjon-level audits.

For the broader crypto market analysis, this episode reinforces the importance of open disclosure. A flaw that could have been buried or patched silently was instead published with a clear risk assessment. That raises the bar for every other hardware wallet vendor. Users and institutions can now expect a higher standard of transparency when evaluating Bitcoin storage solutions and other cold-storage devices. The incident also strengthens the case for multi-layer security architectures in hardware wallets, a key factor for high-value holders and custodians.

Next Decision Point

Trezor has stated that no firmware update or user action is needed for the Safe 7. The next concrete marker will be any evidence of real-world exploitation – none exists so far – or further disclosures from Tropic Square about the TROPIC01's design limitations. Ledger's Donjon team may also publish a detailed technical breakdown, which could prompt other hardware makers to re-examine their own supply-chain security. For now, the incident is a net positive for the industry: a vulnerability found, disclosed responsibly, and contained by design.