Penalty: consensus-layer signature scheme is not named in any official Hyperliquid public source, Gate 3 partial fail at consensus surface. The validator client is distributed as a closed-source signed binary; only the visor/runner code is public.

0 PQ-safe family deployed.

No NIST PQC primitives deployed.

Consensus client distributed as closed-source signed binary; bridge contract is plain Solidity using OpenZeppelin libraries (Pausable, ReentrancyGuard, ERC20Permit, SafeERC20). Library provenance: OpenZeppelin contracts; Arbitrum Nitro ArbSys precompile reference; standard ecrecover precompile. Stateless. Cryptanalytic tier 1. The closed-source consensus client means consensus-layer crypto cannot be third-party audited for constant-time behavior.

EOA-style ECDSA keys identical to Ethereum-style addressing. Every user public key is revealed at first transaction. For perp traders, this is universal: every order placement reveals the signing pubkey. Bridge TVL ~$4.57B sits behind quantum-vulnerable ECDSA keys at all times.

No distinct cold-key scheme separate from active-key scheme; all keys are ECDSA secp256k1. Validator cold wallets used for unlocking the bridge are also ECDSA Ethereum addresses, same primitive, same Shor exposure.

Perpetuals positions are short-lived but user wallet keys persist; validator hot/cold wallet signatures persist as the cryptographic anchor for validator-set updates and historical bridge withdrawals. Historical signatures (validator-set update signatures, batched withdrawal signatures) are forgeable post-Shor.

API surface (api.hyperliquid.xyz, rpc.hyperliquid.xyz/evm) terminates classical TLS. Validator gossip uses ports 4001/4002 over the public internet; the wire-protocol cryptography is not publicly documented. No PQ KEM at any transport surface.

Pseudonymous (Ethereum-style 0x addresses) but fully transparent: order book state, fills, and positions are public on-chain. No shielding, no mixing, no hidden balances at protocol level. Lower score than e.g. Bitcoin's pseudonymity reflects the additional metadata leakage of order book and trading flow.

The default and dominant RPC endpoint is rpc.hyperliquid.xyz/evm operated by the foundation. Third-party RPC providers (QuickNode, Alchemy, Dwellir) exist but the foundation-operated endpoint is the canonical default. Five Hyper Foundation validators controlling ~81% of staked HYPE. Validator metadata retention policy is undeclared.

Bridge2 contract on Arbitrum is the canonical USDC entry/exit point. Deposits and withdrawals are individually visible on Arbitrum (DepositEvent / RequestedWithdrawal / FinalizedWithdrawal) and linkable to L1 user addresses. Additional bridge surfaces (LayerZero, deBridge, Across, Wormhole HyperEVM) add further passive-observer correlation paths.

A transparent order book has no shielded historical state to retroactively de-anonymize. Shor on secp256k1 enables post-hoc forgery of historical authorizations but does not retroactively reveal anything that was not already public.

No mixnet, no on-chain shuffling, no commit-reveal pattern.

No documented protocol-level algorithm-switching framework. HyperBFT is identified by name only; no public spec describes how validator-signature primitive could be changed without coordinated client upgrade. The validator client is a closed-source signed binary; consensus-level upgrades require the foundation to ship a new binary. EIP-1559 enabled on HyperEVM but no EIP-7702-style hooks documented.

HyperEVM is Cancun-without-blobs and EVM-equivalent at the precompile layer. No native account abstraction documented in the Hyperliquid spec. ERC-4337 theoretically deployable but no foundation-published entrypoint or paymaster. EIP-7702 live status on HyperEVM not declared. User L1 actions support an 'API wallet' (sub-key delegation via approveAgent), application-layer key rotation, not protocol-level account abstraction.

Mainnet launched 2023; HIP-3 (permissionless perp deployment) activated mainnet 2025-10-13; HIP-4 (outcome contracts) announced 2026-02-02. Multiple coordinated upgrades have shipped without contested forks. Track record is short (≤3 years) and limited to non-cryptographic upgrades.

No hybrid-PQC plan published. The bridge contract architecture (validator quorum signing) could in principle be extended to validate hybrid signatures, but this is not specified anywhere in foundation artifacts. HyperEVM precompile model could host PQ-verification precompiles, possible architecturally, not announced.

N/A, no stateful hash signature scheme deployed. Default 15/15 for stateless schemes.

VOID. HyperBFT is a HotStuff-derivative which conventionally uses BLS aggregation in consensus, but Hyperliquid does not publicly document its consensus-signature primitive. With the consensus client closed-source and the wire-protocol crypto unspecified, the BFT-aggregation-path declaration cannot be evaluated. Per Gate 2, the sub-score is voided.

0%. No PQ primitive in any consensus path, bridge path, or user-signing path. The qONE token launch on HyperEVM (2026-02-11) deploys IronCAP code-based dual-signature wrappers at the application contract layer for that specific token; this is not Hyperliquid protocol PQC.

Consensus client distributed as closed-source signed binary; no public source repository for the validator client. No PQ code merged.

All 21 active validators sign with ECDSA secp256k1 hot/cold wallets per the bridge contract spec.

VOIDED per v3.1 (5a = 0). Independently, no Hyper Foundation post, doc, or HIP names a PQC-related milestone with a date or enforcement mechanism.

Hyper Foundation has made zero PQC announcements and shipped zero PQC. Ratio undefined / not adverse. Full credit because the chain has not engaged in announce-without-ship behavior.

Undisclosed. No PQ scheme adopted, so no per-block byte multiplier is published.

Top-3 wallets: MetaMask (default for HyperEVM via custom RPC + chainId 999), Rabby, Hyperliquid native frontend (web app at app.hyperliquid.xyz). None has a published PQC roadmap with primitive-named ML-DSA / SLH-DSA / Falcon support shipped to mainnet.

Top-3 bridges: Hyperliquid Bridge2 (Arbitrum-side, native, $3.27B Arbitrum-side TVL), LayerZero (HyperEVM live), Wormhole (HyperEVM live). None has a published PQC roadmap with primitive-named PQ signature/KEM shipped. Bridge2's validator-quorum signing is ECDSA secp256k1 throughout.

Top-3 custodians: Anchorage Digital Bank (Grayscale Hyperliquid ETF custodian as of 2026-04-20 amendment, replacing Coinbase), BitGo Bank & Trust (joint custodian on 21Shares THYP filing 2026-04-14), Coinbase Custody (HYPE supported). MPC-PQ readiness flagged is research-only across all three.

Top-3 RPC: foundation-operated rpc.hyperliquid.xyz/evm (default), QuickNode, Alchemy. Foundation RPC has no PQ TLS posture documented. HSMs: not chain-specific (validators run on commodity hardware per official spec). TEE: not in spec.

21 active validators. Five Hyper Foundation validators controlled approximately 81% of staked HYPE per January 2025 reporting. Nakamoto coefficient on stake is effectively 1 (foundation controls quorum). Single dominant client implementation (closed-source binary).

HIP-3 (2025-10-13) and HIP-4 (2026-02-02) shipped on schedule, no contested forks. No upgrade executed under adversarial pressure (no live exploit, no halt-and-restart, no contested rollback).

Hyperliquid Labs (engineering, ~11 employees) and the Hyper Foundation (ecosystem support) are named entities. Jeff Yan is publicly named CEO/co-founder. The Hyperliquid Policy Center launched as a separate nonprofit led by Jake Chervinsky. No named PQC lead, no published PQ working group.

The closest precedent is the JELLYJELLY oracle-manipulation incident (March 2025) where validators voted to delist JELLY perps and reverse positions; this involved coordinated emergency action but not cryptographic change.

No canary, no tripwire, no rate-limited spending rule, no community honeypot. The bridge has a dispute-period locking mechanism for invalid signatures, but this is a Byzantine-fault response, not a quantum-attack tripwire.