Back to security portal
Ethereum's SLIP-24 payment-request branch in production firmware signs attacker calldata under cover of verified-swap UI
Reported on May 16, 2026
A safeguard meant to prevent extra calldata from being attached to a SLIP-24 verified-swap transaction was not active in production firmware. This could allow a malicious host to inject attacker-controlled calldata while the device displayed a normal verified-swap confirmation, resulting in a bypass of user transaction confirmation.
Resolved vulnerabilities
Reported by community. Investigated. Resolved. Because your security is never optional.
- Unauthenticated Remote DoS via xpub Change-Index AmplificationMay 19, 2026
- Unauthenticated Remote Memory Exhaustion via Unbounded Timestamp ArrayMay 19, 2026
- Cross-Origin Popup Takeover in Trezor Connect popupMay 3, 2026
- Solana ALT recipient confirmation mismatchApril 6, 2026
- Solana account type misclassificationApril 6, 2026
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injectionMarch 25, 2026