Charles Guillemet@P3b7_
💥One Check, One Laser, Every Card: The Tangem Immutability Trap.
The @DonjonLedger just published research worth stating plainly.
With a single laser pulse the Ledger Donjon team faults one conditional check in the firmware of a Tangem card and resets the password to a value of its choosing. No existing password, backup card, or recovery feature needed. Once reset, the attacker is able to sign anything and can potentially drain the user’s wallet.
To be precise about the threat model: this attack requires physical possession of the card, invasive chip opening, lab-grade fault-injection equipment, our own setup costs roughly $250,000, and genuine technical expertise. That puts it well beyond the reach of an opportunistic thief, but comfortably within the capabilities of a serious lab. Both things can be true at the same time.
Why one laser pulse is enough: the recovery path rests on a single check, "is this card in recovery state?", with no redundancy and no penalty on repeated SetPin attempts. The chip's countermeasures are formidable, but they do not save the one bit the firmware chose to trust.
Alt: Why one pulse is enough: the recovery path depends on a single yes/no check, “is this card in recovery state?”, and a pulse is simply a precisely timed electrical disturbance designed to make the chip misread that decision at the critical moment. Because there is no redundant check and no penalty for repeated SetPin attempts, one successful disturbance is enough. The chip’s countermeasures are formidable, but they cannot protect the one bit the firmware chose to trust.
The uncomfortable part: it cannot be patched. Tangem cards have no firmware update mechanism. The vulnerability was disclosed on February 10th, 2026. There is no fix coming, because there is no channel to deliver one.
Tangem presents immutable firmware as a security feature. Call it what it is: a trade-off. "We cannot change the firmware" is a strong story right up until the firmware is wrong. Then the same property that protected you guarantees you can never be protected again. This research did not create that reality. It made it visible.
What a user can do, since there is no patch: this attack requires physical possession of the card and invasive lab work, so it cannot be done covertly. The practical risk is a lost or stolen card in the hands of a capable attacker. If the card stays in your possession, there is no reason to assume compromise. If you have doubt, or if your threat model requires a higher level of assurance, treat the funds as compromised and move them to a new secure set up.
This was published in line with Ledger Donjon’s responsible disclosure process. When a vulnerability cannot be patched, the next responsibility is to inform users clearly and widely, so they can make their own informed decisions, especially here where the vulnerability can not be exploited remotely.
The bigger lesson is not about one product. Security is never static, and systems should be designed with human error and future failure in mind. You should not have to blindly trust that yesterday’s assumptions still hold. You should be able to verify, adapt, and recover when they do not. Design for the day you are wrong, because eventually, you will be.
Full write-up from Baptistin Boilot, Ledger Donjon.
Stay safe. Stay honest about your trust assumptions.
donjon.ledger.com/blog/bypassing…