The French company Ledger has aided its competitor Trezor in addressing a critical vulnerability discovered in its Safe 3 hardware wallets. The Ledger team identified a supply chain attack risk, which meant that a malicious actor could potentially alter the wallet’s firmware before it reached the end user, jeopardizing the security of stored funds.
Ledger Donjon, the company’s security research division, uncovered a weakness in the dual-chip architecture used in Trezor Safe 3 and Safe 5. These devices incorporate both a secure element and a microcontroller; however, cryptographic operations are executed on the microcontroller, introducing additional security risks. If an attacker were to compromise the firmware, they could potentially gain remote access to a user’s funds.
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here's a thread on our findings:🧵 pic.twitter.com/CORDOQWRYg
— Charles Guillemet (@P3b7_) March 12, 2025
Despite Trezor’s built-in security mechanisms, Ledger Donjon researchers were able to bypass them. Upon being notified of the issue, Trezor promptly implemented security patches, further strengthening the protection of its devices.
Trezor has reassured its users that their funds remain secure, emphasizing that wallet owners do not need to take any action, provided they purchased their devices from official distributors.
