What it is. Mantle is a faster, cheaper network built on top of Ethereum that has rebuilt its own plumbing four times in three years, yet has done nothing so far to guard against future quantum computers.
What we found. The team clearly knows how to pull off big coordinated overhauls, but it has never aimed that skill at quantum protection, and the proof that secures money leaving the network could be forged once quantum machines arrive.
Why it matters. A holder or institution parking funds here, including the multi-billion-dollar treasury sitting on the network, is trusting a team that can move fast but has not yet started the one move that keeps those funds safe in the quantum era.
ZK validity rollup on a customised OP Stack with four substantive coordinated upgrades in three years (BitDAO→Mantle, EigenDA integration, Optimistic→ZK via OP Succinct, Arsia/EigenDA-removal+EIP-7702). Real crypto-agility at the team-and-process level but none of it pointed at PQ posture. On-chain validity anchor is Groth16/PLONK SNARK over BN254, Shor-breakable.
Summary
Mantle is a ZK validity rollup on a customised OP Stack (Bedrock-derivative). Mantle has shipped four substantive coordinated upgrades in three years on a custom OP Stack fork, BitDAO→Mantle (2023), MantleDA→EigenDA (2025-03-19), Optimistic→ZK validity via OP Succinct (2025-09-16), and Arsia/EigenDA-removal+EIP-7702 (2026-04-22). That is real crypto-agility at the team-and-process level. None of it has been pointed at post-quantum posture. No PQ scheme is selected; no working group is announced; no hybrid composition is documented. The on-chain validity anchor is a Groth16/PLONK SNARK over BN254, pairing-based and Shor-breakable, even though SP1's internal STARK is hash-based. Migration Stage: 0 (Unaware). Raw QRI: 27. After-cap QRI: 27 (caps fire at 60/70 but do not bind a value already at 27). Band: 3 Planning (boundary with Band 2 Acknowledged). Confidence interval: plus-minus 5. Key uncertainties: (i) whether SP1's internal FRI/STARK should be credited as a PQ family at all; (ii) whether vendor concentration around Bybit is a coordination asset or a single-vendor failure mode under PQ migration pressure; (iii) the timing of any Mantle Foundation public PQC acknowledgement.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition AND or OR at any layer: user, sequencer, proposer
- Gate 1a, Hybrid KEM: FAIL , no documented hybrid KEM at sequencer transport, RPC, or batch-submission layer
- Gate 1b, Commit-to-hash: COND , Gate 1a-Sig fails outright; no OR-composition to evaluate
- Gate 2, Evidence reconstruction: PASS , every sub-score has ≥3 URLs and is reconstructible in 48 hours
- Gate 3, Primitive naming: PASS , every sub-score names specific primitives: ECDSA secp256k1, Keccak-256, Poseidon2 over KoalaBear, SP1 STARK/FRI, Groth16/PLONK over BN254, BLS12-381 KZG/BLS aggregation
Burn-vs-rescue policy on file
Declared option f, Undeclared. Mantle has not stated any policy on freeze, burn, STARK rescue, hybrid client-layer, rate-limit canary, or optional migration for QV outputs. The L2 inherits Ethereum L1's policy for settled state to the extent that withdrawals depend on L1 verification; at L2's own surface, no policy is declared.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 32 / 100
Spec-level naming present for proof system and verifier; sequencer-key role identified at EOA granularity.
ECDSA secp256k1 (EOAs, EVM-equivalent) · Keccak-256 (EVM hashing) · Poseidon2 over KoalaBear (SP1 Hypercube zkVM internal) · SP1 STARK / FRI (validity proofs, hash-based, PQ-safe internally) · Groth16 / PLONK over BN254 (Gnark wrapping for L1 on-chain verification) · BLS12-381 KZG point-evaluation (Ethereum-blob DA, post-Arsia) · BLS12-381 BLS aggregation (EigenDA pre-Arsia, retired 2026-04-22) ECDSA secp256k1→ Shor-break-via-DL-without-pairingsKeccak-256→ Grover-weaken (256→128)Poseidon2 over KoalaBear (SP1 Hypercube internal)→ tier-4 research-grade hash, classically secure under random-oracle conjectureSP1 STARK / FRI inner proof→ PQ-safe internally (hash-based + FRI)Groth16/PLONK over BN254 (SP1 on-chain verifier)→ Shor-break-via-pairingsBLS12-381 (Ethereum-blob KZG commitment)→ Shor-break-via-pairingsBLS12-381 BLS aggregation (EigenDA, retired)→ Shor-break-via-pairings, historical exposure
0 PQ families deployed at consensus or settlement layer. The SP1 internal STARK is hash-based, but no hash-based or lattice signature scheme is deployed at user-signing or proposer/sequencer signing.
No NIST PQC primitive (ML-DSA, ML-KEM, SLH-DSA, Falcon/FN-DSA) deployed in any Mantle component.
SP1 has documented security model. Trusted setup uses Aztec Ignition (PLONK) and a Succinct-conducted Groth16 ceremony. SP1 audited by Cantina, KALOS, and Trail of Bits. OP Stack components audited by OpenZeppelin and Trail of Bits. No formal verification of Mantle-specific cryptographic glue.
2 Quantum Recovery Exposure weight 8% 30 / 100
EVM EOA model, pubkeys revealed at first spend. MNT-denominated treasury inherited from BitDAO holds approximately $4.6B. Bybit-aligned institutional flows concentrate risk at fewer key custodians.
Cold EOAs that have never spent retain Keccak-of-pubkey protection. Mainnet alpha launched 2023-07-17; cold-key horizon is ~3 years.
Historical ECDSA signatures, sequencer batch-posting signatures on L1, and proposer state-root signatures are all forgeable post-Shor. Pre-Arsia EigenDA attestations remain in historical record.
Sequencer-to-Ethereum batch submission and Mantle RPC endpoints terminate TLS using classical X25519/ECDH and RSA. No declared hybrid-KEM transport.
3 Metadata, Anonymity & Confidentiality weight 8% 22 / 100
Transparent EVM. Pseudonymous addresses; full tx graph linkable on Mantle explorer.
Top-3 RPC concentration high, Mantle-operated RPC plus Alchemy and QuickNode. Single centralised sequencer = full mempool observability for the operator.
Mantle Native Bridge (canonical), LayerZero-based Stargate, Wormhole. Source-to-dest correlation observable. Bybit-aligned exchange flows correlate further.
No native privacy layer; baseline EVM. Shor on secp256k1 exposes signed-history attribution.
None at protocol level.
4 Migration Architecture weight 15% 56 / 100
Three-plus substantive architectural swaps: BitDAO→Mantle (2023); MantleDA→EigenDA via 2025-03-19 hard fork; Optimistic→ZK validity rollup via OP Succinct on 2025-09-16; Arsia hard fork on 2026-04-22 (v1.5.4) which retired EigenDA in favour of Ethereum-blob DA. Four major coordinated upgrades inside ~3 years on a custom OP Stack fork.
Inherits ERC-4337. EIP-7702 enabled at Mantle protocol level via Arsia upgrade (2026-04-22), including SetCodeTx transaction type and RequestsHash block-header field.
Mantle V2 hardforks shipped to mainnet: BaseFee, Everest, Euboea, Skadi, Limb, Arsia. Plus OP Succinct ZK activation (2025-09-16) and EigenDA integration (2025-03-19). All coordinated, no contested forks.
No hybrid composition (AND or OR) declared. No commit-to-hash pattern documented. No PQ signature scheme selected. Hybrid is architecturally possible via EIP-7702-delegated smart accounts but Mantle has not specified a path.
N/A by default, no stateful hash schemes (XMSS, LMS) in scope. Default credit.
Mantle's own consensus is a single permissioned sequencer; no BFT-with-BLS-aggregation. Inherited Ethereum L1 BLS12-381 aggregation external. No 4f path declared at Mantle's surface.
5 Deployment Execution weight 22% 14 / 100
Zero PQC signing on Mantle mainnet. All EOA signing is ECDSA secp256k1; sequencer and proposer keys are ECDSA on Ethereum L1; SP1 verifier on L1 is BN254 SNARK.
No PQC code merged in Mantle V2 client repos, Mantle OP Succinct fork, Mantle Succinct Proposer, or any operator-side service.
Single permissioned sequencer (EOA 1) and single permissioned proposer (EOA 2). No PQC keys.
VOIDED per v3.1 because 5a = 0. Published milestones (sequencer decentralisation, ZK throughput, MI4 fund) are non-PQC.
Announced PQC trailing 12 months from official Mantle channels: 0. Shipped PQC bytes signed under named primitive: 0. No washing. Light deduction reflects total absence of PQ posture (no announcement at all is its own signal).
No PQ scheme selected; no published bytes-per-block analysis. Undisclosed → 0.
6 Supply Chain Vendor Readiness weight 25% 17 / 100
Top-3 by Mantle user volume: MetaMask, OKX Wallet, Bybit Wallet. 0 of 3 with public PQC roadmap.
Top-3: Mantle Native Bridge, LayerZero (Stargate), Wormhole. 0 of 3 with public PQC roadmap.
Top-3: Bybit Custody (BitDAO/Mantle treasury heritage), Fireblocks (Bybit alignment), BitGo. 0 with committed PQC roadmap; light credit for Fireblocks research stance.
RPC: Mantle-operated, Alchemy, QuickNode, none with public PQC roadmap. Bybit-aligned custody uses Fireblocks MPC, no PQ-MPC commitment. SP1 proving network does not require TEE.
7 Governance & Coordination weight 10% 36 / 100
Single permissioned sequencer (EOA 1) and single permissioned proposer (EOA 2). No client diversity. Nakamoto coefficient = 1 at L2 surface.
Four major coordinated migrations shipped without rollback or contested fork. Strong upgrade muscle on a custom OP Stack fork.
Mantle Foundation + Mantle Governance (MNT token holders). Engineering coordination via MantleSecurityMultisig (6/14) and MantleEngineeringMultisig (3/7). Bybit alignment provides additional coordination capacity but introduces vendor concentration. No publicly named PQC working group.
BitDAO treasury governance has been contentious historically (early Bybit-DAO tension) but functioned through formal proposals. No precedent for coordinated cryptographic change under active attacker pressure.
No PQ-specific canary, honeypot, rate-limited spending rule, or cryptographic tripwire.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
X+Y reaches 13-25 years; Crisis Zone (vs Z10 2030); Outside risk window (vs Z25 2035)
Z-compliance
Outside compliance window for NIST 2030/2035
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
L2BEAT classifies Mantle (post-Arsia) as a rollup with onchain DA on Ethereum and validity-proof state validation. Some third-party analytics still describe Mantle as modular L2 with EigenDA using documentation snapshots taken before 2026-04-22. Authoritative current state: Ethereum DA, OP Succinct ZK validity proofs.
SP1 marketing materials describe STARKs as post-quantum secure proof generation (true at the FRI/STARK layer internally). The on-chain verifier is Groth16 or PLONK over BN254 (not PQ-secure). LayerQu reads the on-chain anchor as the binding security claim.
Delta-QRI under alternative weighting
Alternative-weighting that credited SP1-internal-STARK as a PQ family would raise Dim 1 1c by ~5 points, lifting raw QRI to ~28; immaterial against the Stage 0 / Band 2-3 outcome.
Announcement-to-shipped ratio
Announced: 0. Shipped: 0. Ratio: 0.
Tag: none, silence rather than narrative; honest absence
Peers in the rollup-L2 profile
9 chains closest to Mantle by Stage then QRI.