A hardware-level vulnerability has been found in a security chip used in crypto hardware wallet maker Trezor's latest product, Trezor Safe 7. The company said users' funds and private keys are not affected and that the practical difficulty of an attack is very high.

Crypto news outlet Cryptopolitan reported on June 3 that the vulnerability was confirmed during an independent security audit carried out by Donjon, the security research organisation of rival Ledger.

The component in question is TROPIC01, a secure element chip developed by Trezor's sister company Tropic Square. The chip has drawn attention as the first open-source secure element chip to 공개 both its hardware design and firmware source code.

Researchers physically opened the chip package and carried out a laser fault injection attack that disrupts internal circuit operation using an infrared laser. They confirmed the possibility of bypassing the chip's signature verification process to run unauthorised code.

Tropic Square provided commercial chip samples to the Donjon research team for evaluation, and the researchers reported the vulnerability in late January this year. The company's engineers were later reported to have identified an additional attack path linked to the flaw that could extract an extra secret value related to the PIN protection feature.

Trezor stressed that the vulnerability is very unlikely to lead to a leakage of user assets. It said Trezor Safe 7 applies a total of 3 independent layers of physical security, and the affected TROPIC01 chip is one of them. It added that private keys and wallet backup information are not stored on the chip.

The issue is that the vulnerability occurred at the hardware level rather than in software. Products already sold cannot have the flaw removed through firmware updates alone. Tropic Square has started producing a new chip reflecting the fix.

The security industry has said the likelihood of real-world exploitation is limited. An attacker would first need to obtain the target device, then dismantle it and go through a sophisticated process to expose the back of the chip. It would also require expensive laser fault injection equipment and specialised semiconductor analysis skills.

Dedi Raviv (데디 라비드), chief executive officer of blockchain security firm Cyvers, said, "The fact that a chip can be attacked in a laboratory environment alone should not be used to judge the practical security of a hardware wallet." He said, "For most users, phishing attacks, seed phrase theft and blind signing are much more realistic and dangerous threats."

The industry is assessing the case as showing that hardware wallet security is determined by overall system design and layered defences rather than the safety of a single chip. It is expected that the launch of Tropic Square's improved chip and Trezor's follow-up response will be key variables in maintaining user trust.