Trezor disclosed a security flaw in the TROPIC01 chip used in its new Safe 7 hardware wallet after Ledger's Donjon security research team successfully pulled off a laboratory attack against the silicon. The chip itself is built by Tropic Square, a Trezor sister company, and the findings were published Wednesday in an emailed announcement. Tropic Square later identified a related weakness that could expose additional information stored on the chip.
The reassuring detail for users: the vulnerability sits inside one layer of a multi-layer security stack, and Trezor said it does not give attackers access to private keys, wallet backups or on-device crypto holdings. The Safe 7 was designed so that no single chip compromise is sufficient to drain funds — a structural choice the disclosure is now stress-testing in public.
Why it matters
The disclosure lands as a rare instance of two rival hardware wallet makers — Trezor and Ledger — cooperating on a vulnerability rather than weaponising it as marketing. Ledger's Donjon team, which is best known for finding flaws in competing devices, used specialised lab equipment to bypass some of TROPIC01's protections, and Trezor published the result with full technical detail.
That posture matters more than the chip itself. Hardware-wallet buyers have long treated the brand rivalry as a proxy for security: every public flaw is read as a recommendation to switch. By disclosing promptly and crediting the rival researcher, Trezor is arguing the opposite — that the audit pipeline, not the marketing claim, is what keeps user funds safe.
Market impact
The exploit window is narrow in practice: an attacker would need physical possession of a Safe 7, expensive laboratory equipment, and advanced technical expertise, with no evidence the flaw has been used against any real device. For most users, that places the risk in the same category as a supply-chain intercept at customs — real on paper, vanishingly rare in the field.
What to watch next is Tropic Square's mitigation path. If a firmware or silicon revision lands quickly and the disclosure remains the only public record, the Safe 7's reputation absorbs the news cleanly.
Frequently asked questions
-
Is the Trezor Safe 7 flaw putting user crypto at risk right now?
Trezor says no. The vulnerability lives on the TROPIC01 security chip, but the Safe 7 relies on multiple security layers, and the company said attackers would still need physical access, specialised lab equipment and advanced expertise to exploit it.
-
What exactly is the TROPIC01 chip and who builds it?
TROPIC01 is a security chip developed by Tropic Square, a sister company of Trezor. It is used inside the new Safe 7 hardware wallet and is the silicon layer that Ledger's Donjon team targeted in their laboratory attack.
-
How did Ledger's Donjon team find the vulnerability?
Ledger's Donjon security research team used specialised laboratory equipment to bypass some of TROPIC01's protections during an independent audit. Trezor credited the rival researcher's findings and published the disclosure in full on Wednesday.
-
Has the Safe 7 flaw been exploited against real users?
Trezor said there is no evidence the vulnerability has been exploited in the real world. The disclosure describes only a controlled laboratory attack, and no compromised devices have been reported.
-
What happens next for the Trezor Safe 7 after this disclosure?
Tropic Square is expected to address the flaw, and the watch item is whether a firmware or silicon revision lands quickly enough to keep the disclosure a one-off. If the related weakness expands into a broader class of side-channel issues, the bigger question becomes how Trezor segments chip responsibilities in its…
CoinDesk