Tangem — Institutional Custody Risk Rating
LISR assessment produced by the Linkmerica Research Team. Informational only — not financial advice.
At a Glance
HIGH RISKOfficial Product Page (External)
Affiliate disclosure: Linkmerica may earn a commission on purchases through this link at no additional cost to you. This does not influence LISR scores or risk tiers.
Key Risk Flags
- Unpatchable hardware vulnerability — no firmware update mechanism exists to remediate the flaw
- Laser fault-injection attack disclosed July 10, 2026 by Ledger Donjon, bypasses password protection via physical access
- Vulnerability persists even when the user has disabled password recovery
- Password reset via the exploit grants an attacker full authority to drain funds
- Every card in circulation and every future card under the current hardware design carries the flaw permanently
Category Breakdown
Score range 0.0–10.0. Lower score = lower risk in that category.
| Category | Score | Assessment |
|---|---|---|
| Security Architecture | 6.9 / 10.0 |
|
| Firmware Integrity | 8.2 / 10.0 |
|
| Supply Chain Risk | 5.1 / 10.0 |
|
| Key Management | 6.7 / 10.0 |
|
| Operational Security | 7.7 / 10.0 |
|
| Recovery Risk | 6.2 / 10.0 |
|
Category breakdown reflects several structural risk properties assessed under the LISR framework. Weights and methodology are proprietary.
Analyst Notes
This rescore reflects the first LISR reassessment driven by disclosure of a confirmed, unpatchable hardware vulnerability in a widely deployed custody solution. On July 10, 2026, Ledger Donjon published a laser fault-injection attack against Tangem's Samsung S3D232A secure element, demonstrating that a single nanosecond laser pulse can bypass password protections and enable full fund drainage, even when recovery features are user-disabled. Tangem's architectural decision to ship cards with immutable firmware—intended as a supply-chain security feature—now ensures this vulnerability is permanent across all units, with no remediation path for current or future inventory. The $250,000 equipment cost and requirement for physical possession meaningfully constrain the threat surface; this is not a retail-scale or remote attack vector. However, institutional risk assessment must account for severity, permanence, and exposure to well-resourced adversaries (state actors, sophisticated criminal organizations) conducting targeted operations against high-value holders. Tangem's public response acknowledged the technical findings while disputing practical significance for 'everyday users,' but offered no remediation roadmap. For institutional custody due diligence, this combination of confirmed exploit plus structural inability to patch justifies elevation to HIGH tier.
Produced by: The Linkmerica Research Team · LISR v1.0 · Period: 2026-07 (rescored) · Node: LM-NODE-01
Quantum Resistance Assessment
QRR CRITICAL| QRR Category | Score | Risk Bar |
|---|---|---|
| Post Quantum Algorithm Support | 9.5 | |
| Migration Roadmap | 9.5 | |
| Firmware Upgrade Path | 9.5 | |
| Key Migration Tooling | 7.5 | |
| Regulatory Alignment | 9.5 |
LISR Framework — Score Tiers
| Score Range | Risk Tier | Institutional Guidance |
|---|---|---|
| 0.0 – 3.5 | LOW | Suitable for institutional consideration with standard diligence |
| 3.6 – 6.0 | MODERATE | Requires additional controls or policy mitigations |
| 6.1 – 8.0 | HIGH | Significant risk factors — limited institutional suitability |
| 8.1 – 10.0 | CRITICAL | Not recommended for institutional custody use |
What This Rating Covers
- Security architecture and cryptographic implementation
- Firmware integrity, transparency, and update controls
- Supply chain provenance and anti-tamper mechanisms
- Key management, entropy quality, and recovery standardisation
- Operational security controls and physical attack resistance
Limitations
- Product security posture can change with firmware or hardware updates.
- User operational security dominates many real-world loss outcomes.
- Internal scoring weights and evidence methodology are proprietary.
- This is not financial advice and Linkmerica does not provide custody services.
- Scores reflect publicly observable factors at time of review.
FAQ
What does the Linkmerica Tangem LISR rating represent?
A deterministic, versioned institutional custody risk assessment. Lower scores indicate lower risk. The rating is informational and not a guarantee of safety.
Does a lower LISR score mean funds cannot be lost?
No. Loss can still occur due to phishing, compromised recovery material, user procedural failures, device tampering, or software issues.
Does Linkmerica provide custody services or financial advice?
No. Linkmerica does not provide custody services and does not provide financial advice.
How often can the LISR rating change?
Ratings are versioned and locked at publication. New versions are issued following material firmware updates, security incidents, or scheduled review periods.
Are internal weights or scoring math disclosed?
Category weights are disclosed above. Internal scoring math and evidence weighting are proprietary to the Linkmerica Research Team.
Quantum Resistance Assessment
Independent quantum readiness evaluation under the LISR QRR framework. Linkmerica published quantum custody risk research on June 15, 2026 — one week before federal policy validated the same thesis.
Quantum Resistance Readiness
QRR CRITICAL| Category | Score | Risk Bar |
|---|---|---|
| Post Quantum Algorithm Support | 9.5 | |
| Migration Roadmap | 9.5 | |
| Firmware Upgrade Path | 9.5 | |
| Key Migration Tooling | 7.5 | |
| Regulatory Alignment | 9.5 |