A group of cybersecurity experts from Donjon, working under Ledger, has discovered a serious vulnerability in the TROPIC01 chip used in Trezor Safe 7 hardware wallets. Despite the identified vulnerability, Trezor representatives assure that users’ funds remain completely secure.
This is reported by Business • Media
Nature of the Vulnerability in TROPIC01 Chip
TROPIC01 is a specialized secure microchip developed by Tropic Square for reliable storage of confidential data. Its distinguishing feature is open-source code. Donjon researchers employed the Laser Fault Injection (LFI) method to bypass the digital signature verification of the firmware based on the Ed25519 algorithm. Under normal conditions, the chip automatically verifies the signature before launching the software; however, Ledger specialists managed to circumvent this protection.
During the research, the chip’s casing was opened, and an infrared laser with a wavelength of 1064 nm was directed directly at the silicon crystal. This allowed them to disrupt the signature verification logic at the right moment, causing the chip to mistakenly accept the signature as valid. As a result, the researchers were able to send arbitrary code to the device, which the chip executed, including a simulated response to a request containing the word HACK. The method proved effective even with the sensors turned off or activated.
Despite this, the experts were unable to access sensitive information stored in the MAC-and-Destroy (MACANDD) hardware module. As noted by Ledger, the key security boundary lies in the structure of the silicon microchip rather than in the software.
Following the publication of the Donjon report, Tropic Square conducted its own research. The company’s specialists discovered a new attack vector that could potentially affect the confidentiality of data protected by MAC-and-Destroy. The manufacturer decided not to disclose technical details until an updated version of the chip is released.
“Further internal analysis conducted by Tropic Square showed that the actual security boundary for MAC-and-Destroy is not at the hardware level, revealing a potentially exploitable architectural vulnerability. Exploiting the MAC-and-Destroy vulnerability requires a deep understanding of the TROPIC01 architecture,” the company’s note states.
A detailed vulnerability report is expected to be published in spring 2027, and an updated secure version of TROPIC01 is set to be available for sale by the end of 2026.
Trezor’s Position and Industry Reactions
Trezor emphasized that executing such an attack is extremely complex and requires physical access to the device, specialized laboratory equipment, and deep technical knowledge. TROPIC01 is just one of three independent layers of protection in the Safe 7 wallet. Breaching only this layer does not grant access to either the backup or the user’s funds.
In addition to TROPIC01, Trezor Safe 7 implements two additional security layers — OPTIGA Trust M (V3) and the main microcontroller STM32U5, which, in tandem with other chips, is responsible for verifying the PIN code and the authenticity of the device.
The company added that all research was conducted directly on the chip, not on a fully functional device. Additionally, according to blockchain security specialists from Cyvers, users’ funds remain secure, and the attack itself is considered “too complex for practical implementation.”
“Tropic Square has released a patch and is transitioning to a new version of the chip that closes this path at the hardware level. So, no, this does not pose a practical threat to users. These are deep hardware research efforts that, thanks to open disclosure, make the next generation more reliable,” the company emphasized.
Trezor CEO Matej Zak urged the entire industry to adopt an open approach to discovering, studying, and disclosing vulnerabilities to enhance the overall security level of hardware cryptocurrency wallets.