TL;DR:
Ledger Donjon researchers disclosed a vulnerability in Tangem hardware wallet cards that can let an attacker reset a card password through a laser fault injection attack. The finding is unsettling because the target is a physical card built around a certified secure element. According to the disclosure, the attack bypasses a recovery-state check in Tangem firmware running on an EAL6+ chip. The flaw turns physical custody into the central security boundary, making a lost or stolen card the scenario users now have to evaluate.
The technique is far from ordinary theft. Researchers said exploitation requires physical possession of the card, specialized laser fault-injection equipment, side-channel analysis tools and hardware security expertise. Their laboratory setup cost about $250,000. The preparation involves exposing the secure element, connecting the card to custom hardware and directing a nanosecond laser pulse at a specific chip area. Still, the finding carries weight because Ledger Donjon said the issue affects all Tangem cards in circulation and cannot be patched, since the cards lack a firmware update mechanism. The practical barrier is high, but the technical impact is broad.

The bypass allows the SetPin instruction to accept a new password without the existing password or backup card by skipping the check that confirms an authorized recovery state. Once the password is reset, an attacker can use the card to sign transactions and move funds associated with the wallet. Ledger Donjon said it reproduced the exploit on a second and third card, with each repetition requiring about two hours of preparation and exploitation time. The attack is not covert, because it is physical, invasive and cannot be performed while the card remains safely with its owner.
Tangem disputed the everyday significance of the disclosure, saying the risk to typical users is “virtually non-existent” because the attack needs expensive laboratory equipment, possession of the card and specialized knowledge. The company also noted that Ledger Donjon operates within Ledger, one of Tangem’s largest competitors, and argued that any secure element can eventually be reverse-engineered and exploited with enough time, funding and access. Ledger Donjon recommended multiple independent checks for sensitive operations, stronger state validation and protections for password changes even when recovery features are disabled. The debate leaves users with a serious message: self-custody still depends on not losing the card.