Trezor's hardware wallet contains a vulnerability in its TROPIC01 Secure Element chip, an audit by Ledger's security arm has revealed. The company behind the popular cold-storage devices moved quickly to assure users that funds remain safe despite the flaw.
The flaw in the Secure Element
The vulnerability was uncovered by Ledger Donjon, the internal security research team of Trezor's rival Ledger. It affects the TROPIC01 chip, a dedicated secure processor designed to protect private keys and sensitive operations. The audit did not specify whether the vulnerability could be exploited remotely or required physical access, but Trezor has acknowledged the finding.
Secure elements are a standard component in hardware wallets, meant to provide an extra layer of protection against tampering and side-channel attacks. A weakness in this component could theoretically allow an attacker to extract keys or bypass security checks. Trezor has not released details on the exact nature of the flaw, referring instead to the ongoing audit process.
Trezor's response
In a statement following the disclosure, Trezor said user funds are 'safe.' The company did not announce a recall, a firmware patch, or any immediate action for customers. The assurance suggests that the vulnerability does not expose active wallets to theft under normal conditions, or that the attack requires conditions that are difficult to meet in practice.
Trezor's approach to security often relies on transparency—the company publishes open-source firmware and has invited third-party audits in the past. But the silence on a fix leaves some questions open. Other hardware wallet makers typically deploy an update soon after a vulnerability is reported, even if the risk is low.
Ledger Donjon’s role
Ledger Donjon has a track record of finding flaws in competing products. The team previously disclosed weaknesses in Trezor's earlier models, including the One and Model T. This latest finding extends that pattern. Ledger and Trezor compete for the same market of cryptocurrency users who want cold storage, so the audit carries an edge of rivalry. Still, the disclosure itself follows industry norms: researchers share findings with the vendor before going public, giving time for a fix.
It is not clear when the audit began or how long Trezor had to respond before the news broke. The absence of a patch at the time of disclosure may indicate the vulnerability is considered low severity, or that a hardware revision is required rather than a simple software update.
What users should know
For now, Trezor's message is straightforward: do nothing. The company maintains that funds are not at risk. Users who are worried can take basic precautions—using a strong passphrase, keeping firmware up to date, and buying devices only from official channels. But Trezor has not issued a specific warning or change in guidance.
The episode underscores the ongoing cat-and-mouse game in hardware security. Wallets that were once considered impenetrable are periodically tested by white-hat researchers, and the manufacturers respond accordingly. The real test will come if a future vulnerability proves more serious than this one.
