Yes, MCU side.

We cannot audit the MCU because there’s code protection measures unless you were to have equipment to do a fault attack on it, and this needs to apply to every user.