The hardware cryptocurrency wallet manufacturer Trezor has addressed a vulnerability in its Safe 3 and Safe 5 models. The issue was identified by the research team of its competitor, Ledger, as reported by the company’s CFO, Charles Guillemet.
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here’s a thread on our findings:? pic.twitter.com/CORDOQWRYg
— Charles Guillemet (@P3b7_) March 12, 2025
A Trezor representative clarified to ForkLog that the vulnerability affected only the Safe 3. According to them, the Safe 5 uses a different chip with a higher security level.
Trezor noted that Ledger Donjon researchers were unable to extract private keys or PIN codes from the tested device. According to the representative, users’ funds remain protected if the wallet is purchased through official channels.
“As for future devices, we are constantly improving our products, and enhanced security measures, including the more robust chip used in the Safe 5, will be integrated into new models,” the manufacturer emphasized.
The issue concerned the wallet microcontroller, which allowed for cryptographic operations. This could have made the Safe 3 and Safe 5 “vulnerable to more sophisticated attacks,” noted Guillemet.
Trezor has already implemented Secure Elements chips designed to protect the user’s PIN and cryptographic data. Ledger noted that the feature “effectively prevents any low-cost hardware attacks, particularly voltage glitches.”
“[This] gives users confidence that their funds are safe, even if their device is lost or stolen,” the research team emphasized.
However, Ledger discovered another potential attack vector related to the microcontroller of another main part of the dual-chip design for the Safe 3 and 5 models.
Although Trezor has a firmware integrity check, Ledger engineers managed to bypass this protection. The manufacturer later fixed the vulnerability.
Company representatives assured that users’ funds remained safe, and no action is required from clients.
Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure?
— Trezor (@Trezor) March 12, 2025
However, when asked if Trezor managed to fix the issue with firmware, the hardware wallet provider responded negatively.
Hi, unfortunately not. In cybersecurity, the golden rule is simple: nothing is fully unbreakable. That’s why we have already implemented a multi-layer defense against supply chain attacks and always advise our users to purchase from official sources.
— Trezor (@Trezor) March 12, 2025
“In cybersecurity, the golden rule is simple: nothing can be completely invulnerable,” the company commented.
The Trezor team reported the implementation of multi-layered protection against supply chain attacks and advised users to purchase devices only from official distributors.
Back in January 2024, the company’s developers reported a security incident with a third-party support provider, which led to a data leak of approximately 66,000 clients.
In December 2024, attackers posing as Ledger support sent out fake notifications about a service breach, prompting users to disclose seed phrases.