BLAST · ROLLUP-L2 · STAGE 0 UNAWARE, NO PQ WORK SHIPPED OR FORMALLY ARCHITECTED AT THE BLAST-CHAIN LEVEL · QRI 17 v3.1.0 methodology

In plain terms

What it is. Blast is the network that pays you interest just for leaving your crypto sitting on it, because behind the scenes it takes your deposits and puts them to work earning a return.

What we found. One company runs Blast alone, and a handful of its keyholders can rewrite how it works in an instant with no cooling-off period, while the money it lends out on your behalf is locked up by the same kind of password math that already guards your wallet.

Why it matters. A future quantum computer would have two ways in here rather than one: it could forge the keys to your account, and it could also forge the keys that control the pile of deposits Blast has stationed elsewhere chasing yield, putting both your balance and the interest it promised at risk at once.

OP Stack optimistic-rollup fork operated by a single sequencer with a 3/5 BlastMultisig and instant contract upgrades. L2BEAT classifies the chain as not even Stage 0. Native yield is delivered through a custom L1 bridge gateway with operator-controlled admin keys. Blast Foundation has made no public statement on post-quantum cryptography.

inLinkedIn ↷Audit access ⇆Compare Verified 2026-05-01

Summary

Blast is an OP Stack optimistic-rollup fork (blast-io/blast v1.8.0, 2026-02-12) operated by a single sequencer with a 3/5 BlastMultisig and instant contract upgrades. L2BEAT classifies the chain as not even Stage 0, no fault-proof game, the system permits invalid state roots, users must trust the proposer. Native yield (rebasing ETH via Lido L1 staking; rebasing USDB via the MakerDAO T-Bill protocol) is delivered through a custom L1 bridge gateway with operator-controlled admin keys. Cryptographic primitives are ECDSA secp256k1, Keccak-256, X25519/P-256 ECDHE on RPC TLS, entirely classical. The Blast Foundation has made no public statement on post-quantum cryptography; no PQC keyword appears on blast.io, docs.blast.io, the tokenomics doc, or the GitHub repo. Migration Stage: 0. Raw QRI: 16.7. After-cap QRI: 16.7 (Mainnet-Traffic and Architecture-Execution Gap caps at 60 and 70 do not bind below the raw score). Confidence plus-minus 11. Band: 1 Unaware. Key uncertainties: undeclared OP Stack hard-fork uptake cadence, undisclosed native-yield bridge admin-key posture, Blast Foundation public silence on quantum threat. Forge 13/75; Decrypt 5/25.

What the gates say

Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition AND or OR at user signing or sequencer signing layer
Gate 1a, Hybrid KEM: FAIL , no documented hybrid KEM at sequencer-RPC TLS or any operator-to-operator transport on Blast
Gate 1b, Commit-to-hash: COND , no OR-composition declared
Gate 2, Evidence reconstruction: PASS , every non-voided sub-score has 3+ public artifacts
Gate 3, Primitive naming: PASS , every named primitive is specified: ECDSA secp256k1, Keccak-256, SHA-256, BLS12-381, AES-128-GCM, X25519

Burn-vs-rescue policy on file

Declared option f, Undeclared. No Blast team or Blast Foundation position on what happens to dormant Blast-native funds at user EOAs in a quantum scenario. Rollup-L2-specific consideration: dormant L2 funds depend on canonical bridge contract's L1 ownership; if Ethereum L1 freezes vulnerable EOAs, L2 mirror state inherits the freeze automatically. Native-yield bridge gateway adds complexity, its reinvestment positions in Lido staking and MakerDAO T-Bills are held in operator-controlled L1 contracts whose admin keys are themselves classical-ECDSA.

Seven dimensions

Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.

1 Cryptographic Exposure weight 12% 23 / 100

1a · primitive inventory 8 / 20

No canonical primitive-inventory document exists at docs.blast.io; primitives inferred from repo, OP Stack specs, and docs.blast.io about-page. Blast is OP Stack fork (latest tagged release v1.8.0, 2026-02-12).

Primitives: ECDSA secp256k1 (transaction signatures, EOA model, EVM-equivalent) · Keccak-256 (state, RLP, addresses) · SHA-256 (Ethereum L1 settlement paths) · BLS12-381 (Ethereum L1 consensus signatures Blast settles into) · X25519 / P-256 ECDHE (TLS to public Blast RPC endpoints) · AES-128-GCM (TLS bulk cipher)

1b · shor grover pq tag 10 / 20

Tags:

ECDSA secp256k1 → Shor-break-via-DL-without-pairings
Keccak-256 → Grover-weaken (256→128-bit preimage)
SHA-256 → Grover-weaken
X25519 / P-256 ECDHE → Shor-break-via-DL
AES-128-GCM → Grover-weaken to 64-bit
BLS12-381 → Shor-break-via-pairings

1c · family diversity 0 / 20

0 PQ families deployed. No lattice, hash-based, code-based, or isogeny family has shipped at any layer of the Blast stack.

1d · nist security category 0 / 20

No NIST FIPS 203/204/205 PQC primitive deployed.

1e · implementation quality 5 / 20

Blast's fork inherits OP Stack auditing (Sigma Prime, Trail of Bits, Spearbit reports 2023-2025); Blast-specific modifications (native-yield bridge gateway, USDB/WETH rebasing tokens) have audit history disclosed but no machine-checked formal proofs. Standard go-ethereum / crypto/secp256k1. Cryptanalytic tier: Tier 1 (classical ECC + Keccak-256 + SHA-256).

2 Quantum Recovery Exposure weight 8% 18 / 100

Forge subtotal: 13/75 Decrypt subtotal: 5/25

2a · active key exposure 4 / 25

Blast launched mainnet 2024-02-29 and saw TVL peak ~$2.96B in March 2024 before declining materially. Tens of thousands of EOAs remain active; every active EOA reveals its secp256k1 public key on first transaction.

2b · cold key exposure 5 / 25

Mainnet since 2024-02-29 (~26 months). Material dormant balances exist (treasuries, abandoned LP, dormant Blast Points/Gold farming wallets, native-yield bridge contracts on L1).

2c · sig long term validity 4 / 25

Sequencer batch-poster ECDSA signatures and Ethereum L1 state-root output-proposer signatures are forgeable post-Shor. Instant-upgrade BlastMultisig 1 (3/5 threshold, no delay) ECDSA keys are an additional historical-exposure surface.

2d · encryption confidentiality hndl 5 / 25

Public Blast RPC endpoints served over standard TLS 1.3 (X25519/P-256 ECDHE + AES-GCM). No documented hybrid PQ KEM in use on any Blast RPC, sequencer, or operator transport.

3 Metadata, Anonymity & Confidentiality weight 8% 10 / 100

3a · tx graph visibility 3 / 20

Pseudonymous transparent EVM ledger. Blast Points and Blast Gold airdrop campaigns created dense behavioral fingerprints.

3b · rpc mempool concentration 2 / 20

Sequencer is operated by a single entity (NC=1 for ordering); not even Stage 0 per L2BEAT, system permits invalid state roots. Public RPC concentrated on operator-run endpoint plus Ankr, QuickNode, Chainstack, BlastAPI.

3c · cross chain bridge correlation 2 / 20

Native Blast Bridge (custom L1 gateway with Lido/MakerDAO reinvestment) is a direct on-chain link between Ethereum L1 and Blast, by design correlates user identities.

3d · retroactive de anonymization 3 / 20

No shielded pool on Blast; transparent ledger. ECDSA Shor-break enables retroactive recovery of any private key whose pubkey ever appeared on-chain.

3e · mixnet shuffle 0 / 20

No on-chain mixer integrated into the Blast protocol.

4 Migration Architecture weight 15% 47 / 100

4a · crypto agility 5 / 15

OP Stack fork. Inherits Ethereum's hard-fork-driven crypto-agility in the abstract. Blast on its own fork (blast-io/blast); upgrade cadence not explicitly tracked at L2BEAT-grade transparency.

4b · aa key rotation 8 / 20

Inherits Ethereum-side ERC-4337 infrastructure. EIP-7702 EOA-delegation propagates from Pectra (2025-05-07) through OP Stack hard-fork inheritance. Blast docs do not feature a Blast-specific smart-wallet product. Popular wallets are MetaMask and Rabby, both EOA-first.

4c · hard fork track record 6 / 15

Two material upgrade events: 2024-03-13 Dencun-upgrade halt (~2 hours), tagged repository releases through v1.8.0 (2026-02-12). 3/5 BlastMultisig 1 instantly-upgrades contracts with no time-delay.

4d · hybrid deployment readiness 4 / 15

ERC-4337 smart-account contracts can in principle host parallel-signature verifier for hybrid (classical ECDSA + PQ ML-DSA/SLH-DSA) signing path, but no hybrid spec'd or shipped by Blast. Architectural primitives inherited; migration document does not exist.

4e · stateful hash state management 15 / 15

Default-pass per v3.1 rule. No stateful hash scheme.

4f · bft aggregation path 0 / 20

N/A, Blast is a rollup with a single sequencer for ordering; no BFT consensus with BLS signature aggregation operates at the Blast layer.

5 Deployment Execution weight 22% 14 / 100

5a · mainnet pqc traffic pct 0 / 25

Zero PQ signatures observed in Blast's transaction stream. No PQ KEM in TLS termination is documented.

5b · pqc code in consensus client 0 / 15

Grep of blast-io/blast repository (Blast's fork of optimism + op-geth) yields no ML-DSA, ML-KEM, SLH-DSA, Falcon, XMSS, or SPHINCS+ implementation.

5c · validator pqc key adoption 0 / 15

Blast sequencer operated under standard secp256k1 ECDSA keys. No validator set on Blast, chain is not even Stage 0 per L2BEAT.

5d · published dated milestones 0 / 10

VOIDED to 0 per v3.1 (5a = 0). No PQC-specific dated milestones published by Blast team, Foundation, or any ecosystem contributor.

5e · pqc washing delta 14 / 15

Trailing 12-month PQC announcement count from official Blast channels: 0. Shipped PQ on Blast mainnet: 0. Cleanest possible washing posture, paired with absence of a roadmap.

5f · signature footprint multiplier 0 / 20

Voided per Gate 2, no PQ signature deployed.

6 Supply Chain Vendor Readiness weight 25% 8 / 100

6a · wallet 4 / 25

Top-3: MetaMask, Rabby, Ledger. None has shipped PQ roadmap for transaction signing. Trezor Safe 7 (2025) ships ML-DSA-44 device attestation + SLH-DSA-128 bootloader, only top-3-class hardware-wallet vendor with shipped PQ in production, but for device attestation/firmware integrity, not transaction signing on Blast.

6b · bridge 1 / 25

Top-3: native Blast Bridge (custom L1 gateway with Lido/MakerDAO reinvestment), LayerZero, Stargate. Native Blast Bridge inherits ECDSA + Keccak-256 from Ethereum L1 settlement and has additional ECDSA-keyed admin functions for the reinvestment gateway. Largest concrete PQ exposure.

6c · custodian 1 / 25

Limited institutional custody for chain at Blast's current TVL tier. No published PQ roadmap for any Blast-specific custodian.

6d · rpc hsm tee infra 2 / 25

Top-3 RPC: operator-run Blast official RPC, Ankr, Chainstack/QuickNode/BlastAPI. AWS KMS shipped ML-DSA support 2025-06, only concrete-deployed PQ infra primitive in tile; generic, not Blast-bound.

7 Governance & Coordination weight 10% 23 / 100

7a · validator stake distribution 2 / 20

Sequencing centralized at the operator (NC=1). No fault-proof game (system permits invalid state roots per L2BEAT). 3/5 BlastMultisig 1 with instant upgrades is the operative governance threshold.

7b · upgrade cadence under pressure 7 / 20

Two material upgrade events: 2024-03-13 Dencun-upgrade halt and tagged releases through v1.8.0. The instant-upgrade BlastMultisig 1 is itself an ability-to-act-fast governance posture.

7c · named coordination lead 9 / 20

Blast Foundation is named protocol-development entity. Tieshun Pacman Roquerre (founder of Blur) is publicly identified founder-lead. The docs reference future DAO-style protocol governance. No designated PQ lead within the Blast team.

7d · adversarial coordination precedent 5 / 20

Dencun-halt recovery (March 2024, ~2 hours) is the public coordination-under-pressure record. No precedent of coordinated cryptographic-primitive change under active attacker pressure.

7e · canary tripwire mechanism 0 / 20

No quantum canary embedded in Blast protocol.

X + Y vs Z, when does the math turn against you?

v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?

X, signature shelf life

5-10 years

Y, migration time

12-15+ years to Stage 5

Z10 (10% CRQC year)

2030

Z25 (25% CRQC year)

2035

Verdict

X+Y > 2035 → Outside risk window; X+Y > 2030 → Crisis Zone

Z-compliance

Outside compliance window for any jurisdiction with hard-stop 2030

Source-disagreement disclosure

v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.

TVS metric divergence (L2BEAT vs DefiLlama)

L2BEAT TVS $103.04M (with 70.3% carrying additional trust assumptions); DefiLlama bridged TVL $339.5M / native $119.4M. The L2BEAT TVS metric is stricter accounting that excludes value held under additional trust assumptions; DefiLlama bridged TVL is the gross-bridged figure. Neither metric is wrong, they measure different things.

OP Stack inheritance, undeclared

Blast's PQ posture is bounded above by Ethereum L1 (settlement) AND by Blast operator's willingness to track upstream OP Stack hard-fork inheritance. Unlike Base (which announced explicit divergence 2026-02-18), Blast has made no public divergence statement and no public statement of inheritance commitment either.