Tangem — Institutional Custody Risk Rating

LISR assessment produced by the Linkmerica Research Team. Informational only — not financial advice.

At a Glance

HIGH RISK
LISR Score
6.8
out of 10.0
Risk Tier
HIGH
lower score = lower risk
Framework
LISR v1.0
versioned + locked
Period
2026-07
Confidence: MODERATE
0.0 — LOW RISK 10.0 — CRITICAL RISK

Official Product Page (External)

Affiliate disclosure: Linkmerica may earn a commission on purchases through this link at no additional cost to you. This does not influence LISR scores or risk tiers.

Key Risk Flags

  • Unpatchable hardware vulnerability — no firmware update mechanism exists to remediate the flaw
  • Laser fault-injection attack disclosed July 10, 2026 by Ledger Donjon, bypasses password protection via physical access
  • Vulnerability persists even when the user has disabled password recovery
  • Password reset via the exploit grants an attacker full authority to drain funds
  • Every card in circulation and every future card under the current hardware design carries the flaw permanently

Category Breakdown

Score range 0.0–10.0. Lower score = lower risk in that category.

Category Score Assessment
Security Architecture 6.9 / 10.0
EAL6+-certified Samsung S3D232A secure element ordinarily represents strong hardware foundation, but the architectural decision to ship with no firmware update mechanism creates pe...
Firmware Integrity 8.2 / 10.0
Ledger Donjon's July 10, 2026 disclosure demonstrates a single nanosecond laser pulse can fault a critical password-reset conditional check, bypassing user-disabled recovery settin...
Supply Chain Risk 5.1 / 10.0
No new supply chain compromise evidence; Tangem's manufacturing and component sourcing remain non-controversial. The laser attack requires legitimate hardware in attacker hands, no...
Key Management 6.7 / 10.0
Tangem's standard backup card model and optional seed phrase export provide reasonable redundancy for fund recovery. However, the disclosed vulnerability directly undermines key cu...
Operational Security 7.7 / 10.0
Exploitation requires ~$250,000 in specialized laser fault-injection lab equipment, physical possession of the card, and deep hardware security expertise (~2 hours per successful a...
Recovery Risk 6.2 / 10.0
The vulnerability directly weaponizes the password-reset/recovery mechanism: an attacker resets authentication to attacker-controlled credentials, effectively locking out the legit...

Category breakdown reflects several structural risk properties assessed under the LISR framework. Weights and methodology are proprietary.

Analyst Notes

This rescore reflects the first LISR reassessment driven by disclosure of a confirmed, unpatchable hardware vulnerability in a widely deployed custody solution. On July 10, 2026, Ledger Donjon published a laser fault-injection attack against Tangem's Samsung S3D232A secure element, demonstrating that a single nanosecond laser pulse can bypass password protections and enable full fund drainage, even when recovery features are user-disabled. Tangem's architectural decision to ship cards with immutable firmware—intended as a supply-chain security feature—now ensures this vulnerability is permanent across all units, with no remediation path for current or future inventory. The $250,000 equipment cost and requirement for physical possession meaningfully constrain the threat surface; this is not a retail-scale or remote attack vector. However, institutional risk assessment must account for severity, permanence, and exposure to well-resourced adversaries (state actors, sophisticated criminal organizations) conducting targeted operations against high-value holders. Tangem's public response acknowledged the technical findings while disputing practical significance for 'everyday users,' but offered no remediation roadmap. For institutional custody due diligence, this combination of confirmed exploit plus structural inability to patch justifies elevation to HIGH tier.

Produced by: The Linkmerica Research Team  ·  LISR v1.0  ·  Period: 2026-07 (rescored)  ·  Node: LM-NODE-01

Quantum Resistance Assessment

QRR CRITICAL
LISR QRR v1.0 · Scored June 28, 2026 · Federal reference: EO 14412 / 14413
QRR Score
9.1
/ 10.0
Risk Tier
CRITICAL
higher = higher risk
Federal Deadline
2030–2031
EO 14412 mandate
0.0 LOW RISK 10.0 CRITICAL
QRR CategoryScoreRisk Bar
Post Quantum Algorithm Support 9.5
Migration Roadmap 9.5
Firmware Upgrade Path 9.5
Key Migration Tooling 7.5
Regulatory Alignment 9.5
Analyst Note: Tangem's NFC card architecture creates highest quantum vulnerability risk due to apparent lack of firmware update capability. Users likely face mandatory hardware replacement for PQC transition. BIP-39 recovery enables migration but requires new card purchase. Form factor innovation comes at cost of cryptographic agility.
Based on publicly available information as of June 2026. EO 14412 mandates federal PQC migration by December 31, 2030. Linkmerica published independent quantum custody risk research on June 15, 2026 — one week before federal policy validated the same thesis.
Read the full Quantum Readiness Gap brief →

LISR Framework — Score Tiers

Score Range Risk Tier Institutional Guidance
0.0 – 3.5 LOW Suitable for institutional consideration with standard diligence
3.6 – 6.0 MODERATE Requires additional controls or policy mitigations
6.1 – 8.0 HIGH Significant risk factors — limited institutional suitability
8.1 – 10.0 CRITICAL Not recommended for institutional custody use

What This Rating Covers

  • Security architecture and cryptographic implementation
  • Firmware integrity, transparency, and update controls
  • Supply chain provenance and anti-tamper mechanisms
  • Key management, entropy quality, and recovery standardisation
  • Operational security controls and physical attack resistance

Limitations

  • Product security posture can change with firmware or hardware updates.
  • User operational security dominates many real-world loss outcomes.
  • Internal scoring weights and evidence methodology are proprietary.
  • This is not financial advice and Linkmerica does not provide custody services.
  • Scores reflect publicly observable factors at time of review.

FAQ

What does the Linkmerica Tangem LISR rating represent?

A deterministic, versioned institutional custody risk assessment. Lower scores indicate lower risk. The rating is informational and not a guarantee of safety.

Does a lower LISR score mean funds cannot be lost?

No. Loss can still occur due to phishing, compromised recovery material, user procedural failures, device tampering, or software issues.

Does Linkmerica provide custody services or financial advice?

No. Linkmerica does not provide custody services and does not provide financial advice.

How often can the LISR rating change?

Ratings are versioned and locked at publication. New versions are issued following material firmware updates, security incidents, or scheduled review periods.

Are internal weights or scoring math disclosed?

Category weights are disclosed above. Internal scoring math and evidence weighting are proprietary to the Linkmerica Research Team.

Back to homepage

Quantum Resistance Assessment

Independent quantum readiness evaluation under the LISR QRR framework. Linkmerica published quantum custody risk research on June 15, 2026 — one week before federal policy validated the same thesis.

Quantum Resistance Readiness

QRR CRITICAL
LISR Quantum Resistance Readiness · v1.0 · Scored June 28, 2026 · Framework June 23, 2026
QRR Score
9.1
/ 10.0
Risk Tier
CRITICAL
higher = higher risk
EO Reference
EO 14412 / 14413
Federal deadline 2030–2031
0.0 LOW 10.0 CRITICAL
CategoryScoreRisk Bar
Post Quantum Algorithm Support 9.5
Migration Roadmap 9.5
Firmware Upgrade Path 9.5
Key Migration Tooling 7.5
Regulatory Alignment 9.5
Analyst Note: Tangem's NFC card architecture creates highest quantum vulnerability risk due to apparent lack of firmware update capability. Users likely face mandatory hardware replacement for PQC transition. BIP-39 recovery enables migration but requires new card purchase. Form factor innovation comes at cost of cryptographic agility.
Quantum readiness assessments are based on publicly available information as of June 2026. Federal compliance reference: EO 14412 mandates PQC migration by December 31, 2030.