{ "chain_slug": "aptos", "name": "Aptos", "scorecard_profile": "L1", "evaluated_at": "2026-04-18", "evaluator": "layerqu-v2-scoring-agent-1", "v1_reference": "chainscreen-v1-archive", "dimensions": { "1_cryptographic_exposure": { "weight": 0.15, "score": 50, "sub_scores": { "1a_primitive_inventory": { "score": 14, "primitives_named": [ "Ed25519 (default)", "BLS12-381 (validator consensus AptosBFT)", "ECDSA secp256k1", "ECDSA secp256r1 (P-256)", "SHA-256", "SHA-3-256" ], "evidence": [ "https://aptos.dev", "https://github.com/aptos-labs/aptos-core" ], "note": "Multi-key auth framework. Full primitive inventory documented." }, "1b_shor_grover_pq_tag": { "score": 15, "tags": { "Ed25519": "Shor-break", "BLS12-381": "Shor-break", "secp256k1": "Shor-break", "secp256r1": "Shor-break", "SHA-256": "Grover-weaken-128bit", "SHA-3-256": "Grover-weaken-128bit" }, "evidence": [ "https://aptos.dev" ] }, "1c_algorithm_family_diversity": { "score": 6, "families_represented": 0, "families": [], "note": "AIP-137 proposes SLH-DSA (hash-based) but not deployed. Currently no PQC families deployed." }, "1d_nist_security_category": { "score": 5, "mappings": { "SLH-DSA-SHA2-128s (proposed AIP-137)": "NIST Category 1" }, "note": "Proposal-only; not deployed." }, "1e_implementation_quality": { "score": 10, "formal_verification": "Move language formally verified; cryptographic primitives standard libraries", "constant_time": "standard", "libraries": [ "blst", "curve25519-dalek" ], "evidence": [ "https://github.com/aptos-labs/aptos-core" ] } }, "total_artifacts": 3 }, "2_hndl_exposure": { "weight": 0.1, "score": 28, "sub_scores": { "2a_active_key_exposure": { "score": 6, "note": "Auth keys stored in account state. All active accounts expose key data." }, "2b_cold_key_exposure": { "score": 8, "note": "41 months mainnet age; BlackRock BUIDL stablecoin holdings at $1.15B." }, "2c_signature_longterm_validity": { "score": 7, "note": "Ed25519 consensus + Move resource sigs forgeable post-Shor." }, "2d_encryption_confidentiality": { "score": 7, "note": "Standard TLS for RPC. No PQC KEM." } }, "total_artifacts": 2 }, "3_metadata_privacy_exposure": { "weight": 0.13, "score": 22, "sub_scores": { "3a_tx_graph_visibility": { "score": 5, "note": "Pseudonymous transparent Move resource ledger." }, "3b_rpc_mempool_concentration": { "score": 4, "note": "AWS hosts 43.2% of stake; RPC concentration through Aptos Labs, Nodereal." }, "3c_cross_chain_bridge_correlation": { "score": 7, "note": "LayerZero, Wormhole bridges; linkable cross-chain." }, "3d_retroactive_deanon_risk": { "score": 6, "note": "Aptos Keyless uses OpenID-connected auth; Shor-broken." } }, "total_artifacts": 1 }, "4_migration_architecture": { "weight": 0.1, "score": 68, "sub_scores": { "4a_crypto_agility": { "score": 18, "note": "Multi-key authentication natively supports multiple sig schemes. Move VM modular." }, "4b_account_abstraction_key_rotation": { "score": 18, "note": "Aptos Keyless + multi-key auth allow sig scheme migration per account." }, "4c_hard_fork_track_record": { "score": 18, "note": "Active AIP process; AIP-131 (block time), AIP-137 (PQC proposal), Proposal #183 (supply cap)." }, "4d_hybrid_deployment_readiness": { "score": 14, "note": "Multi-key auth enables hybrid Ed25519+SLH-DSA; AIP-137 opt-in design preserves default Ed25519." } }, "total_artifacts": 4 }, "5_deployment_execution": { "weight": 0.22, "score": 10, "sub_scores": { "5a_mainnet_pqc_pct": { "score": 0, "mainnet_pqc_pct": 0, "evidence": [], "note": "no PQC traffic on mainnet" }, "5b_pqc_code_in_client": { "score": 0, "note": "AIP-137 proposal only; no code merged" }, "5c_validator_pqc_adoption": { "score": 0, "note": "no validator PQC keys" }, "5d_published_milestones_count": { "score": 8, "count": 1, "note": "AIP-137 formal governance proposal is 1 milestone. No dated deployment timeline." }, "5e_pqc_washing_delta": { "score": 2, "ratio": 2.5, "note": "Announced AIP-137 widely; no deployed code. Ratio >2.0 triggers extra flag." } }, "total_artifacts": 2 }, "6_supply_chain_vendor_readiness": { "weight": 0.22, "score": 10, "sub_scores": { "6a_wallet": { "score": 3, "top3": [ "Petra", "Pontem", "Martian" ], "pqc_roadmap_count": 0, "evidence": [] }, "6b_bridge": { "score": 2, "top3": [ "LayerZero", "Wormhole", "Stargate" ], "pqc_roadmap_count": 0, "evidence": [] }, "6c_custodian": { "score": 3, "top3": [ "Coinbase Custody", "BitGo", "Fireblocks" ], "pqc_roadmap_count": 0, "evidence": [] }, "6d_rpc_hsm": { "score": 2, "top3": [ "Aptos Labs RPC", "Nodereal", "Ankr" ], "pqc_roadmap_count": 0, "evidence": [] } }, "total_artifacts": 1 }, "7_governance_coordination": { "weight": 0.08, "score": 48, "sub_scores": { "7a_validator_stake_distribution": { "score": 10, "note": "152 validators, Nakamoto 22 (consensus), 1 (AWS hosting)." }, "7b_upgrade_cadence_under_pressure": { "score": 15, "note": "Active AIPs; AIP-131 block time upgrade executed fast." }, "7c_named_coordination_lead": { "score": 15, "note": "Aptos Labs (Mo Shaikh, Avery Ching) + Aptos Foundation." }, "7d_adversarial_coordination_precedent": { "score": 8, "note": "No documented adversarial-pressure precedent." } }, "total_artifacts": 3 } }, "gates": { "hybrid_deployment": "PASS", "evidence_reconstruction": "PASS", "primitive_naming": "PASS" }, "caps_applied": [ "mosca_cap_60", "aaronson_cap_70 (dim 4 > dim 5 by >1 migration stage)", "sutor_stage_cap_2 (5d has only 1 milestone, not 3+; partially meets)", "casado_stage_cap_3" ], "qri": { "raw": 29, "after_caps": 29, "ci_plus_minus": 10, "band": 3, "band_name": "Planning" }, "migration_stage": 1, "mosca_inequality": { "X_signature_shelf_life_years": "5-10 (Ed25519 default, rapid key rotation possible)", "Y_migration_time_years_range": "7-12", "Z_10pct_year": 2036, "Z_50pct_year": 2041, "danger_zone_at_50pct": true }, "four_scenario_grid": { "quantum_never": { "value_preserved_pct": 100, "privacy_preserved_pct": 100 }, "arrives_suddenly_pre_migration": { "value_preserved_pct": 15, "privacy_preserved_pct": 5 }, "arrives_slowly_post_migration": { "value_preserved_pct": 90, "privacy_preserved_pct": 75 }, "arrives_slowly_mid_migration": { "value_preserved_pct": 55, "privacy_preserved_pct": 35 } }, "burn_vs_rescue_policy": "undeclared", "pqc_washing_ratio": 2.5, "vendor_tile_summary": { "wallet": { "top3": [ "Petra", "Pontem", "Martian" ], "pqc_roadmap_count": 0 }, "bridge": { "top3": [ "LayerZero", "Wormhole", "Stargate" ], "pqc_roadmap_count": 0 }, "custodian": { "top3": [ "Coinbase Custody", "BitGo", "Fireblocks" ], "pqc_roadmap_count": 0 }, "rpc_hsm": { "top3": [ "Aptos Labs RPC", "Nodereal", "Ankr" ], "pqc_roadmap_count": 0 } }, "narrative_summary": "Aptos has a strong PQC architectural story (AIP-137 proposing SLH-DSA-SHA2-128s, NIST FIPS 205) but zero deployment. Multi-key auth and Move VM provide excellent crypto-agility. Aaronson cap triggers: architecture (Dim 4 score 68) far exceeds execution (Dim 5 score 10). PQC-washing ratio 2.5 flagged.", "evaluator_notes": "AIP-137 is one of the most technically conservative PQC proposals in industry (hash-based, no new crypto assumptions). But governance approval pending and no deployed code. Aaronson cap is the binding constraint.", "narrative_voiced": "Aptos has the most conservative PQC proposal in the batch, AIP-137 choosing hash-based SLH-DSA precisely because it adds no new cryptographic assumptions. It also has a PQC-washing ratio of 2.5, the highest in the batch. Good proposal, zero deployed code, and the gap between the two is the whole story." }