- Hardware wallet maker Ledger has helped fix a security vulnerability on Trezor
- The security flaw opened Trezor’s Safe 3 wallet model to “more advanced attacks”
- Ledger hailed Trezor for frequently updating its security
Hardware wallet maker Ledger has helped its competitor, Trezor, to fix a security vulnerability on its Safe 3 wallet model. Ledger discovered that the vulnerability allowed threat actors to conduct “advanced attacks” because the wallet supported cryptographic operations on its microcontroller. Ledger noted that helping Trezor is part of its mission to make the wallet ecosystem secure for everyone and is part of driving the “broader adoption of crypto and digital assets,” something that puts the rivalry aside to improve the security of crypto wallets consequently reducing the amount of funds lost to hacks.
Trezor “Vulnerable to Voltage Glitching”
According to Ledger’s security research team Ledger Donjon, the microcontroller used in Safe 3 is “vulnerable to voltage glitching, enabling read and write access to its flash contents.”
At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.
We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here’s a thread on our findings:🧵 pic.twitter.com/CORDOQWRYg
— Charles Guillemet (@P3b7_) March 12, 2025
Ledger Donjon said that the weakness can be exploited to attack the wallet. It also discovered some loopholes in how Trezor supports communication between the microcontroller and other security controllers.
The researchers said it’s “very hard” for attackers to use the second vulnerability to attack the wallet because “the attack is implemented purely in software.” Ledger’s CTO Charles Guillemet revealed that Trezor responded to the disclosure and “addressed the vulnerability.”
We appreciate Trezor’s responsiveness to this responsible security disclosure, and that Trezor addressed the vulnerabilities we found, showcasing the importance of continuous improvement and cooperation in the crypto space.
— Charles Guillemet (@P3b7_) March 12, 2025
Trezor Users “Need Not Take Any Action”
Trezor acknowledged the Ledger Donjon’s discovery and assured its users that their funds were safe and that they “need not take any action.” Although the two wallet manufacturers didn’t disclose how the flaw was fixed, Trezor said it was “unfortunately not” through a firmware update.
Hi, your funds remain safe, and you need not take any action. Ledger Donjon reused a previously known attack to bypass some of our countermeasures against supply chain attacks in Trezor Safe 3. Nevertheless, users who purchase from official sources are fully secure🔒
— Trezor (@Trezor) March 12, 2025
Ledger has in the past experienced security weaknesses that led to the loss of user funds. In 2023, for example, hackers exploited the Ledger Connect Kit protocol and stole roughly $600,000. The hardware wallet maker attributed the loss to a feature allowing blind signing on dApps.
With Ledger investigating flaws in other hardware wallets, it’s to be seen whether it’ll help discover wallet vulnerabilities before they are exploited and reduce the amount of crypto lost to hackers.
