Security Advisory: Critical Vulnerability in Coldcard Hardware Wallets
Date: September 29, 2025 · Author: Karma-X Security Research Team
Severity: Critical · Status: Under Responsible Disclosure · Affected Systems: All Coldcard Devices (current firmware versions)
Reference: Coldcard Firmware Repository · Official Coldcard Website
Executive Summary
Coldcard is a widely trusted hardware wallet designed to secure Bitcoin private keys. During our independent review of the firmware source code, we discovered a flaw that has serious implications for the security of stored assets. Out of respect for the responsible disclosure process, the technical attack path is being kept confidential until a fix is available.
Importantly, this advisory does not mean Coldcard is unsafe to use if handled carefully. Instead, it highlights the importance of strict operational security when using hardware wallets. Until a firmware update is released, users should take immediate steps to reduce exposure.
Potential Risks
Based on our assessment, exploitation of this vulnerability could lead to:
- Loss of Funds if an attacker gains physical or indirect access to the device
- Exposure of Sensitive Keys in certain usage scenarios
- Degraded Trust in device security if best practices are not strictly followed
We emphasize that this is a preventable risk if users follow operational best practices outlined below.
Best Practices for Coldcard Users
Immediate Recommendations
- Use Coldcard in Isolation: Keep the device air-gapped. Avoid USB connections to untrusted computers.
- Rely on MicroSD Workflows: When possible, transfer PSBTs (Partially Signed Bitcoin Transactions) via MicroSD cards rather than USB.
- Physical Security: Store Coldcard devices in a safe, tamper-evident location.
- Verify Addresses Independently: Always confirm receiving addresses on the device screen before sending funds.
- Avoid Travel: Avoid traveling with a configured ColdCard until patch is released and safeguards can be effectively implemented.
Long-Term Recommendations
- Firmware Updates: Apply the forthcoming vendor patch as soon as it becomes available.
- Redundancy: Use multisig setups where possible to reduce single-device risk.
- Monitoring: Track official Coldcard security advisories and updates.
- Operational Discipline: Treat your hardware wallet as part of a broader security model, not a silver bullet.
Responsible Disclosure Timeline
| Date | Milestone | Status |
|---|---|---|
| September 2025 | Vulnerability discovered during firmware review | ✅ Completed |
| September 2025 | Initial report submitted to vendor | ✅ In Progress |
| TBD | Vendor acknowledgment, patch release, and full technical disclosure | ⏳ Pending |