PoS smart-contract platform
Ethereum ETH
Ethereum scores 18.0/100 (Stage 2: Mitigation/Development). The project has conducted the most comprehensive quantum risk assessment in the blockchain ecosystem, with a dedicated EF Post-Quantum team formed January 2026, weekly multi-client devnets, and a detailed multi-fork roadmap targeting 2029. However, zero post-quantum cryptography is deployed on mainnet as of the evaluation date. All three critical production layers remain quantum-vulnerable: spend authorization (ECDSA/secp256k1 for EOAs), consensus authentication (BLS12-381 for validators), and data availability (KZG commitments for blob transactions). EIP-8141 (Frame Transaction), the designated PQ migration mechanism, holds CFI status for Hegotá but is not yet shipped. The optional ERC-4337 path for PQ smart contract wallets exists on mainnet but has negligible adoption and no practical PQ implementation. Google Quantum AI estimates ~$100B+ in combined quantum exposure. The project is on a credible trajectory toward quantum readiness but is years away from meaningful production protection.
Roadmap OnlyECC-Only ProductionLong-Exposure Risk
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
7 / 20
Migration Mechanism, Governance & Ecosystem Coordination
4 / 15
Migration Status & Value-at-Risk
1.5 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
5 / 5
Critical Quantum Blockers
- Active production spend authorization (EOA transactions) remains entirely ECDSA/secp256k1-only with no PQ or hybrid path deployed on mainnet.
- Consensus-critical validator authentication uses BLS12-381 signatures exclusively; no PQ alternative exists in production consensus specs.
- KZG polynomial commitments (EIP-4844) for blob data availability rely on elliptic curve pairings vulnerable to Shor's algorithm.
- Material long-exposure quantum-vulnerable value exists in transacted EOAs with exposed public keys and no protocol-level migration, freeze, or deprecation mechanism.
Key Risks
- Transacted EOAs expose public keys permanently on-chain, creating long-exposure quantum-vulnerable value that can be attacked offline with no time constraint. Google estimates top 1,000 wallets (~20.5M ETH) are exposed.
- BLS12-381 validator signatures secure the entire consensus layer (~37M ETH staked); a quantum adversary could forge attestations and compromise finality or rewrite chain history.
- KZG commitments underpin EIP-4844 blob data availability; quantum compromise of the trusted-setup secret would be a permanent, tradable exploit affecting all L2s.
- No protocol-level mechanism exists to freeze, deprecate, or migrate dormant EOAs with exposed public keys.
- Smart contract admin keys (~70 major contracts controlling ~2.5M ETH plus ~$200B in stablecoin minting authority) are quantum-vulnerable.
- Application-layer ZK-proof systems (Groth16, PLONK) are predominantly pairing-based and quantum-vulnerable.
- EIP-8141 uncertainty: competes with alternative proposals (EIP-8130, Tempo); if delayed or replaced, execution-layer PQ migration timeline extends.
Assurance Notes
- No PQ implementation exists on mainnet to audit; audit freshness is not applicable for the current production scope.
- Dedicated Ethereum Foundation Post-Quantum team formed January 2026 with weekly multi-client devnets (pq-devnet-0 through pq-devnet-5) involving 10+ client teams.
- EIP-8141 (Frame Transaction) holds Considered for Inclusion (CFI) status for Hegotá fork as of March 2026 ACD call, but is not a confirmed headliner and competes with EIP-8130 and Tempo.
- Lean Ethereum roadmap targets 2029 for core PQ infrastructure completion; this is explicitly described as a planning target, not a guaranteed commitment.
- Google Quantum AI March 2026 paper (co-authored with EF researcher Justin Drake) estimates ~$100B+ in combined Ethereum quantum exposure across wallets, smart contracts, staking, L2s, and data availability.
- Performance benchmarks from devnet testing show ~30 MB/slot raw PQ signatures with ~250x compression via leanVM, but mainnet-scale validation (~1M validators) has not been demonstrated.
Non-Scoring Caveats
- Account Abstraction (EIP-4337) is live on mainnet and theoretically permits custom PQ signature verification in smart contract wallets, but no PQ precompiles, key registries, or standard wallet tooling exist, making this path impractical for nearly all users.
- ERC-4337 PQ wallets (Tectonic PQ Wallet, BMIC, EthVaultPQ) exist as third-party experiments but have negligible adoption and unverified production readiness at scale.
- EIP-7702 (shipped in Pectra, May 2025) allows EOA delegation to smart contract code but relies on ECDSA for its authorization list, making it quantum-vulnerable as a migration mechanism.
- Vitalik Buterin's conceptual 'quantum sudden death' emergency recovery plan (ethresear.ch, March 2024) is a research proposal relying on social consensus hard fork, not an operational incident-response process.
- No formal timeline or activation criteria published for mandatory EOA migration to quantum-safe signatures.
- Policy for handling long-dormant EOAs with exposed public keys that cannot actively migrate remains unresolved.
- KZG-to-STARK transition for data availability remains in active research with no committed timeline.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: Ethereum has published an extensive cryptographic inventory identifying four vulnerable areas: ECDSA for EOA signatures, BLS for consensus, KZG for data availability, and ZK-proofs for applications. The threat model covers attack assumptions, affected assets, and affected layers.
Coverage basis: Public documentation across ethereum.org, pq.ethereum.org, consensus-specs, EIPs, and Google Quantum AI co-authored paper.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Comprehensive public documentation from official sources. Updated May 2026. Google Quantum AI March 2026 paper provides third-party validation.
Ethereum's quantum threat assessment is among the most comprehensive in the blockchain industry.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: Assessment is supported by code references (consensus-specs, EIPs), specifications, transaction examples on Etherscan, and reproducible analytics.
Coverage basis: Public GitHub repositories, EIP specifications, mainnet explorer data, research forum posts.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Primary source code and specifications are publicly available and verifiable.
Evidence record is comprehensive. Multiple primary sources independently confirm the same findings.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: Ethereum mainnet uses ECDSA/secp256k1 for all EOA transaction signatures with no PQ or hybrid alternative deployed. ERC-4337 theoretically permits optional PQ smart contract wallets but no PQ precompiles or standard implementations exist.
Coverage basis: Protocol-level spend authorization for all EOAs is ECDSA-only. No PQ path exists in production.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: ECDSA-only spend authorization: All EOA transaction signatures use secp256k1/ECDSA. Public keys are permanently exposed on-chain after first transaction.
Assurance: Confirmed by official Ethereum Foundation documentation. No PQ signature scheme is deployed on mainnet.
ERC-4337 technically provides an optional path but no practical PQ implementation exists. EIP-8141, the designated protocol-level PQ migration mechanism, is a draft EIP with CFI status only.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design prevents long-exposure quantum-vulnerable ownership paths
Claim: EOAs expose their secp256k1 public key permanently on-chain after the first transaction. No key rotation mechanism exists. No PQ address formats exist on mainnet.
Coverage basis: All transacted EOAs have permanently exposed public keys with no rotation or PQ migration path.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Long-exposure at-rest vulnerability: transacted EOA public keys are permanently visible on-chain with no rotation or PQ migration path.
Assurance: Well-documented in Ethereum protocol design. Google estimates top 1,000 wallets (~20.5M ETH) have exposed public keys.
This is the most severe quantum exposure on Ethereum. Public key is derivable from any signed transaction.
Production Cryptographic Protection
Consensus-critical authentication is PQC or hybrid-PQC
Claim: Validator attestations, block proposals, and the RANDAO randomness beacon use BLS12-381 signatures exclusively. The production consensus spec contains no PQ alternatives.
Coverage basis: All validator authentication in the production consensus spec uses BLS12-381, which is quantum-vulnerable.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: BLS-only consensus authentication: ~37M ETH staked. A quantum attacker compromising one-third of validators halts finality; two-thirds enables chain history rewriting.
Assurance: Authoritative consensus-specs repository confirms BLS-only. PQ alternatives (leanXMSS) are in devnet/research only.
BLS12-381 is vulnerable to Shor's algorithm. leanXMSS/leanVM PQ consensus devnets are running weekly but no mainnet timeline exists.
Production Cryptographic Protection
State-integrity and data-availability mechanisms are quantum-safe
Claim: EIP-4844 blob transactions use KZG polynomial commitments based on elliptic curve pairings. These are quantum-vulnerable. No PQ replacement is deployed on mainnet.
Coverage basis: All rollup data availability via blob transactions depends on quantum-vulnerable KZG commitments.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: KZG commitments: A quantum computer could recover the trusted-setup secret and permanently forge data-availability proofs. This is a once-and-done exploit affecting all L2s.
Assurance: EIP-4844 is live on mainnet. Researchers are exploring STARKs/FRI as future replacement but no timeline is finalized.
STARKs/FRI replacement is in active research but has no committed timeline. Described as the most complex piece of the PQ migration.
Production Cryptographic Protection
Privacy and proof layers are quantum-safe
Claim: Application-layer ZK-proof systems predominantly use Groth16, PLONK, and other pairing-based SNARKs that are quantum-vulnerable. Some STARK-based systems exist (StarkNet) but most L2 value depends on quantum-vulnerable proofs.
Coverage basis: Protocol-level ZK infrastructure provides no PQ guarantees. Application-layer PQ varies by project.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: ZK proof systems on Ethereum L2s predominantly use pairing-based SNARKs. STARK-based alternatives exist but are not universal.
STARK verification costs ~10M gas vs 300K-500K for SNARKs. EIP-8141's validation frame aggregation is the proposed solution.
Production Cryptographic Protection
P2P transport, node identity, and peer authentication are PQC or satisfied by design
Claim: Ethereum's P2P layer uses discv5 with secp256k1 node IDs and libp2p noise-based encryption. No PQ protection exists.
Coverage basis: P2P node identity uses classical secp256k1 cryptography.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: P2P quantum vulnerability is lower criticality than spend authorization or consensus authentication.
Node identity compromise does not directly enable fund theft but could facilitate eclipse attacks.
Production Cryptographic Protection
Critical wallet, custody, HSM, and hardware-wallet workflows support production PQ/hybrid path
Claim: No major wallet (MetaMask, Ledger, Trezor, Coinbase Wallet) supports PQ signatures. No HSM supports PQ signing for Ethereum.
Coverage basis: Production wallet and custody infrastructure is entirely classical.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: The HSM/MPC hardware refresh cycle runs 2-5 years, creating a long tail for institutional PQ wallet adoption.
Third-party experimental PQ wallets exist via ERC-4337 but have negligible adoption and unverified production readiness.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: Essentially 0% of mainnet value is protected by PQ or hybrid controls. ERC-4337 PQ smart contract wallets have negligible adoption.
Coverage basis: Sub-1% value-at-risk coverage. PQ-native claim does not apply (Ethereum launched with ECDSA).
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, burn, recovery, or policy path.
Assurance: Google estimates >$100B in combined quantum exposure. Coverage is effectively 0% for native protocol protection.
Per QRI 9.3.1, <25% coverage scores 1 out of 20 points. Implementation Score = 1/20 = 0.05.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No evidence that any major exchange, custodian, bridge, foundation treasury, or protocol treasury has migrated to PQ-protected wallets.
Coverage basis: All critical wallets remain quantum-vulnerable.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Google identified ~70 major contracts with exposed admin keys controlling ~2.5M ETH plus ~$200B in stablecoin minting authority.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: Vulnerable EOA public keys have been identified and quantified by research. However, no deprecation, freeze, burn, or migration policy exists.
Coverage basis: Vulnerable pools identified but no action taken.
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: The EF notes ~0.1% of ETH supply is in addresses widely believed abandoned, significantly less than Bitcoin's ~5%.
Identification and measurement are well-documented (score 0.25), but no deprecation, migration, freeze, or burn policy exists.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: Ethereum has published an extensive multi-fork PQ roadmap (Strawmap) with fork milestones I* (PQ key registry), J* (PQ sig precompiles), L* (PQ attestations, leanVM), M* (PQ sig aggregation, PQ blobs), targeting 2029 completion.
Coverage basis: Comprehensive public roadmap with fork-level milestones, activation criteria, and dependency chains.
Implementation score: 0.5 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Roadmap is detailed and from official sources. Roadmap authors acknowledge post-2026 fork assignments are 'overcanonicalized' and likely to be softened.
The 2029 target is aspirational. Devnets and interop testing are active but timelines are planning targets, not commitments.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults: PQ/hybrid account creation, wallet tooling, transaction paths, custody paths
Claim: EIP-8141 (Frame Transactions) is the designated PQ migration mechanism but is a draft EIP with CFI status only. No default PQ wallet creation exists. No migration prompts in major wallets.
Coverage basis: Migration infrastructure is in proposal/devnet stage. No production defaults or user-facing migration tools exist.
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
EIP-8141 is CFI for Hegotá (H2 2026) but competes with EIP-8130 and Tempo. Even if shipped, it enables PQ adoption but does not mandate it.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination: enforcement mechanisms, exchange/custody/bridge coordination
Claim: No enforcement mechanisms exist. No deprecation of ECDSA signing. No deadlines for migration. No exchange, custody, or bridge coordination for PQ migration.
Coverage basis: Zero enforcement or coordination mechanisms deployed or formalized.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Users can still create new quantum-vulnerable high-value accounts by default with no restrictions, warnings, or migration deadlines.
Ethereum's governance model makes enforcement mechanisms politically complex. No proposal for mandatory migration deadlines has reached serious consideration.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: Vitalik Buterin published a conceptual 'quantum sudden death' emergency recovery plan (ethresear.ch, March 2024) involving a hard fork to revert blocks and implement STARK-based signatures.
Coverage basis: Conceptual recovery design exists but is untested, unformalized, and relies on off-chain social consensus.
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: The emergency recovery plan has never been tested, formalized, or operationalized. It relies on off-chain social consensus and a hard fork.
A recovery plan is not active protection. Per QRI spec: 'A project should not be publicly labeled Quantum-Ready based only on recoverability.'
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms
Claim: Ethereum's PQ work builds on NIST foundations: leanXMSS is based on XMSS (NIST SP 800-208 stateful hash-based signatures), SLH-DSA (SPHINCS+) is NIST-standardized.
Coverage basis: Algorithm selection is appropriate and standards-aligned, but algorithms are not deployed in production.
Implementation score: 0.5 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: leanXMSS is a bespoke XMSS variant; while XMSS is NIST-standardized, the leanXMSS construction itself has not undergone independent cryptographic review comparable to NIST standardization.
Algorithm selection demonstrates serious cryptographic engineering. Bespoke variants (leanXMSS) introduce risks not yet independently reviewed.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit exists for the quantum-critical scope
Claim: No independent audit exists for any Ethereum PQ component. The EF's $20M zkEVM Formal Verification Project is underway but has not produced a published audit of quantum-critical scope.
Coverage basis: No independent audit of quantum-critical production or devnet implementation.
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: Per QRI v3.1, audit absence does not by itself create a quantum-critical vulnerability when no PQ production implementation exists. Score is 0.00 because there is nothing deployed to audit.
The $20M zkEVM Formal Verification Project is a significant investment but has not yet delivered auditable PQ artifacts.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: All PQ work is open source: leanSig, leanMultisig, leanSpec (executable Python specification), leanVM, EIPs, consensus specs, and client implementations.
Coverage basis: Open-source devnet implementations exist and are reproducible. No production PQ implementation exists.
Implementation score: 0.5 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Open-source development is a strength. Weekly interop devnets with 10+ client teams demonstrate reproducible multi-client coordination.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: Cryptographic agility is a core design principle. Account abstraction provides execution-layer agility. Multiple candidate schemes evaluated. The roadmap explicitly avoids premature lock-in.
Coverage basis: Agility is well-documented as a design principle with specific mechanisms (account abstraction, staged fork milestones).
Implementation score: 0.75 · Evidence confidence: Medium
Issue classification: none · Score treatment: not applicable
Assurance: Agility is well-documented as a design principle but has not been proven in production for quantum-critical upgrades.
Score reflects strong documentation and mechanism design offset by the fact that no PQ-to-PQ upgrade has been demonstrated in production.
Algorithm & Implementation Assurance
Stateful-signature safety, side-channel, fault-injection, state-management, hardware-wallet, HSM, or custody implementation risks
Claim: leanXMSS is a stateful XMSS variant. State management risks (signing state corruption, anti-reuse controls) are acknowledged in research but not proven in production.
Coverage basis: Stateful signature risks acknowledged in design phase. No production implementation to evaluate safety controls.
Implementation score: 0.25 · Evidence confidence: Low
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Stateful hash-based signatures (XMSS/LMS) have known operational failure modes. These risks have not been validated in a production blockchain context at Ethereum's scale (~1M validators).
This is the highest-risk area for Ethereum's PQ consensus design. The EF's formal verification effort ($20M) targets this risk but has not delivered verifiable artifacts.
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ costs could affect safe deployment
Claim: Extensive devnet benchmarking: raw PQ signatures ~3,000 bytes each vs BLS 96 bytes, ~30 MB/slot unaggregated. leanVM achieves ~250x compression.
Coverage basis: Devnet-level performance analysis exists. Mainnet-scale validation (~1M validators) has not been demonstrated.
Implementation score: 0.5 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Devnet benchmarks are promising but operate at far smaller scale than mainnet. The 250x compression via leanVM is the key assumption enabling PQ consensus feasibility.
Performance analysis is thorough for the devnet scale. If leanVM aggregation performance does not scale to mainnet conditions, the consensus PQ migration timeline would be materially impacted.
Report metadata