On March 5, 2025, Trezor, a leading hardware wallet provider, publicly disclosed a security vulnerability in its Safe 3 wallets. The issue, initially flagged by security researchers at Ledger Donjon, relates to the wallet’s microcontroller, which is susceptible to voltage glitching attacks. This type of exploit could potentially allow attackers to extract private keys or manipulate transaction data if they gain physical access to the device.
Trezor clarified that the vulnerability is largely “theoretical” and would likely only affect users who purchased their device from unofficial third-party sources, increasing the risk of tampering. However, the company has assured users that newer models, such as the Safe 5, have upgraded security measures to mitigate such threats.
Ledger Donjon’s Security Report Triggers Industry-Wide Scrutiny
Ledger Donjon, the security research arm of Trezor’s main competitor, Ledger, released a detailed thread report explaining how the vulnerability could be exploited. According to their findings, the attack involves a process called voltage glitching, where precise electrical manipulations on the wallet’s microcontroller could bypass security measures and allow unauthorized access to stored cryptographic data.
“Our Ledger Donjon security research revealed that if a Trezor Safe3 device was stolen, an attacker could theoretically tamper with the device and modify the software running on it, endangering its user’s funds, even if this device uses a Secure Element,” Charles Guillemet, CTO at Ledger said.
This exploit builds upon previously known physical supply chain attacks, reinforcing the need for strict custody and security measures when handling hardware wallets. Ledger’s researchers demonstrated that Trezor’s Safe 3 model, which launched in 2023, remains susceptible to these techniques, despite security enhancements in newer models.
Trezor’s Response and Security Enhancements
Following the disclosure, Trezor swiftly released a statement outlining its security protocols and recommending precautionary measures. The company emphasized that while the Safe 3 model does have a vulnerability, the attack is complex and requires specialized equipment and physical access to the device, making it impractical for most attackers.
To counter potential threats, Trezor revealed it had also reinforced its firmware integrity checks and urged users to be security conscious.
Furthermore, Trezor stressed the importance of purchasing hardware wallets directly from official sources to avoid supply chain manipulation. Devices bought through unauthorized third-party sellers could be tampered with before reaching the end user, increasing security risks.
The Bigger Picture: Hardware Wallet Security in Focus
The revelation of the Safe 3 vulnerability highlights broader security concerns within the crypto hardware wallet industry. While cold storage solutions are often considered the safest way to store digital assets, they are not immune to physical exploits.
This incident follows other high-profile security disclosures, such as the “Dark Skippy” attack in 2024, which demonstrated how malicious firmware could extract a user’s complete seed phrase. Additionally, the recent $1.5 billion Bybit exchange hack, attributed to North Korean cybercriminals, comes to mind as it highlights the increasing sophistication of threats targeting the crypto sector.
As cryptocurrency adoption grows, security researchers continue to stress the need for multi-layered protection strategies, including strong PINs, passphrases, and frequent firmware updates. With advancements in security technology, companies like Trezor and Ledger remain in a constant race to outpace cybercriminals seeking to exploit potential vulnerabilities.
Quick Facts:
- Trezor disclosed a security flaw in its Safe 3 wallets, making them vulnerable to voltage glitching attacks.
- Ledger Donjon’s researchers identified the vulnerability, demonstrating how attackers could manipulate the microcontroller to extract sensitive data.
- Trezor has released security recommendations urging users to purchase wallets only from official sources to avoid tampering.
