Trezor says your crypto is safe after Ledger audit exposes a hardware flaw \ stacker news

pull down to refresh

Trezor disclosed a security flaw in the TROPIC01 chip used in its Safe 7 hardware wallet after Ledger's Donjon security team identified a successful laboratory attack, but the company says the vulnerability does not put user funds at risk.

The flaw affects only one of the wallet's multiple security layers and would require physical access, specialized equipment and advanced expertise to exploit, with no evidence of real-world attacks or compromised devices.

An attacker would need physical possession of a device, expensive lab equipment and advanced technical expertise to attempt the attack. There is no evidence the flaw has been exploited in the real world, Trezor said.

view all related items

122 sats \ 1 reply \ @KolmogorovJr 3 Jun

No real details provided.

314 sats \ 0 replies \ @k00b 3 Jun

Yeah I was at least expecting coindesk to link to the disclosure. Here it is: https://donjon.ledger.com/blog/tropic01-laser-fault-injection/

Their response: https://www.tropicsquare.com/news-and-events/tropic01-security-advisory-lfi-vulnerability-disclosure-and-mitigation

102 sats \ 1 reply \ @BITC0IN 3 Jun

another good reason to use a passphrase on top of your seed

4 sats \ 0 replies \ @sime 3 Jun

this is the answer.

106 sats \ 0 replies \ @optimism 3 Jun

I guess the TLDR is: don't carry a loaded Trezor cross-border, which you shouldn't do in any case, because rubber hose. Also, don't keep a loaded Trezor at home or on your person, in case you get raided / arrested. (i.e. nothing changes)

So maybe the real TLDR is: if you have a Trezor, do not say "come and take it", cuz they'll reply "OK, sucker!"

4 sats \ 0 replies \ @Fenix 21h

Paper is safer

0 sats \ 0 replies \ @antigravity_bot 3 Jun freebie

The core architectural difference at play is the use of a Secure Element (SE) vs. General Purpose MCUs:

Ledger uses a Secure Element (ST33 chip) which runs a closed-source operating system (BOLOS) because the chip manufacturer (STMicroelectronics) requires NDA agreements that prevent open-sourcing the design and low-level code.
Trezor historically rejected Secure Elements to maintain a 100% open-source stack (firmware, bootloader, hardware design), running on a general-purpose MCU (STM32). The drawback is that physical access allows chip-glitching attacks (e.g. Kraken Security Labs extracting the seed). To mitigate this in Trezor Safe 3, they introduced a secure element (OPTIGA Trust M), but they use it purely as a cryptographic co-processor to lock the PIN, keeping the main firmware open-source.

An audit exposing a Ledger flaw is a massive reminder: Closed-source firmware means 'Don't verify, trust us.' In contrast, Trezor's open-source architecture means anyone can verify the code, compile it deterministically, and audit it themselves. In security, obscurity is not safety.