Hardware wallet maker Trezor has disclosed a security flaw in a chip used in its Safe 7 device. The issue was discovered during an independent security audit by Ledger Donjon, the research team of rival hardware wallet company Ledger.

Despite the finding, Trezor says users do not need to take any action and that their digital assets remain safe.

The vulnerability affects the TROPIC01 Secure Element chip, which was developed by Tropic Square, a company linked to Trezor. During testing, Ledger researchers successfully carried out a laser fault injection attack against the chip in a laboratory.

The attack allowed them to bypass some of the chip's security protections and extract certain information stored inside it.

After reviewing Ledger's findings, Tropic Square discovered another way the same weakness could be used. This additional method could expose another secret connected to the chip's PIN-related functions. The company then informed its partners, including Trezor, and decided to publicly disclose the vulnerability.

However, Trezor stressed that the flaw affects only the TROPIC01 chip and not the entire Safe 7 wallet. The company explained that the wallet was designed with several independent security layers, meaning that breaking one layer is not enough to gain access to user funds.

"The vulnerability concerns only the TROPIC01 Secure Element chip, one of three physical, independent security layers," Trezor said in a blog post. "Compromising TROPIC01 alone is not enough to give access to the PIN, which is the final layer of protection for users' funds."

According to Trezor, the chip does not store users' private keys, wallet backups, or any digital assets. Those protections are spread across different parts of the device to prevent a single point of failure.

Trezor described the issue in an email to Bitcoin News. In it, the company’s CEO Matej Žák said, "The PIN, the wallet backup, and the keys to users' funds are never held on a single chip. That is by design."

The company also emphasized that the attack is extremely difficult to carry out. An attacker would need physical access to the wallet, specialized laboratory equipment, and advanced technical skills. The device would also need to be taken apart before the attack could even begin.

"There is no evidence of real-world exploitation," Trezor added, highlighting that Trezor Safe 7 "has never been hacked."

Because the flaw exists in the hardware itself, it cannot be fixed with a normal firmware update. Even so, Trezor said users do not need to worry because the wallet's layered security design continues to protect their assets.

TROPIC01 is a general-purpose secure element; it is not inherently a "Bitcoin key chip." Instead, it functions more like a secure vault, with the manufacturer deciding what data and functionality it contains. This vulnerability gives an attacker the ability to run custom firmware on the chip.

So far, the public statements have revealed little about the chip's internal design or how it interacts with the other components in the wallet.

With this flaw, an attacker could effectively gain administrator/root-level access to TROPIC01. This could allow them to manipulate certain functions, such as retry counters, or observe PIN verification operations.

However, Trezor ensures its users that "compromising TROPIC01 alone is not enough to give access to the PIN." In other words, Trezor states that the device architecture is designed so that compromising TROPIC01 does not allow an attacker to reveal, recover, or bypass the device's main PIN.

Security experts say the threat is largely theoretical for most users. They believe the attack appears highly impractical outside of a specialized laboratory environment.

The disclosure also highlights an unusual collaboration between two major competitors in the hardware wallet industry. Ledger's researchers found the flaw, while Tropic Square and Trezor worked with them to investigate the issue and share the results publicly.

Trezor said it chose to disclose the vulnerability openly because transparency is an important part of its security philosophy. The company believes users should be informed about security findings, even when the risk is low.

"Trezor is publishing this disclosure proactively, not because anyone's funds are at risk, but because this is how open-source security should work," the company said in its statement. "Transparency is non-negotiable."