All chips can have vulnerabilities, that is why I am supporting open source chips like Tropic01.
That doesn't mean they are perfect, but they are more open and they are not hiding bugs.
The Tropic01 chip is not open source as, unlike software, you cannot simply compile your own binary (hardware). Using "open source" in the context of hardware is misleading imo. Tropic Square claims to be auditable but looking at their FAQ there are obvious limits:
What about the TROPIC01 chip makes it auditable?
Tropic Square owns the chip design and is able to provide the documentation and source-code for auditability– without the need of signing an NDA. We also provide development kits and chip samples for evaluation and security testing. We encourage developers to:
Validate and pentest TROPIC01
Prototype secure embedded systems with TROPIC01
Share feedback and testing result with us
Note: Publication and sharing of the design and implementation details have no adverse effect on the system's security. We however, do not disclose critical design details like the position of laser or EM (electromagnetic field) detectors.
Unless they allow anyone who asks to physically audit the various stages of the chip design and physical production then the audit is very limited in scope.