What it is. Metis runs on top of Ethereum to make transactions cheaper, and instead of letting one operator decide the order of transactions, it hands that job to a fixed group of approved operators who sign off together.
What we found. That shared sign-off is the chain's selling point, but the locks the operators use to sign are the same ones a mature quantum computer is expected to pick. An independent reviewer also puts Metis below the lowest maturity tier, because the approved group is small enough to gang up and rewrite what happened.
Why it matters. Metis spent real effort on who gets to sign, and none on whether those signatures hold up against a quantum attacker. So the work that makes it look safer than rival chains today is the same work that goes first when that attacker arrives, leaving the money and the contracts on it exposed.
Hard fork of the Optimistic Ethereum protocol with a permissioned Tendermint-based decentralized sequencer pool launched 2024-03-14, plus an MPC module signing batch commitments to Ethereum L1. Genuine structural improvement over single-sequencer rollup-L2s, but every primitive across the stack remains classical ECC.
Summary
Metis is a hard fork of the Optimistic Ethereum (OVM/OP Stack) protocol, mainnet-live as Andromeda since November 2021. Andromeda's defining feature is a permissioned Tendermint-based decentralized sequencer pool launched 2024-03-14, with an MPC module signing batch commitments to Ethereum L1. A second chain, Hyperion, is on testnet (announced February 2025) and remains pre-mainnet as of evidence cutoff. The independent rollup-stage tracker classifies Andromeda as not even Stage 0 with critical permissioned dependencies in fraud proofs and state-root deletion. No public artifact names any post-quantum primitive in any Metis subsystem; no PQC roadmap has been published by the foundation. Cryptographic primitives in active use are ECDSA secp256k1 (sequencer registration uses uncompressed secp256k1 public keys), Ed25519 (Tendermint default consensus signing), Keccak-256 (EVM hashing), and an unspecified threshold-ECDSA MPC scheme for L1 batch submission. Raw QRI: 12. After-cap QRI: 12. Band: 2 Acknowledged. Migration Stage 0. Key uncertainties: the specific MPC threshold-ECDSA protocol (GG20 / CGGMP21 / DKLS) is not publicly disclosed; specific Tendermint version/fork is not named in indexed docs; Hyperion's mainnet launch date and consensus primitives remain undocumented at primitive level.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no hybrid signature composition AND or OR documented in any Metis subsystem; no PQ scheme declared
- Gate 1a, Hybrid KEM: FAIL , sequencer P2P, MPC↔L1, and RPC TLS use classical X25519/ECDH/RSA; no hybrid-KEM transport
- Gate 1b, Commit-to-hash: COND , Gate 1a-Sig has not declared OR-composition
- Gate 2, Evidence reconstruction: PASS , every sub-score has ≥3 public artifacts within 48-hour reconstruction window
- Gate 3, Primitive naming: PASS , primitives named where deployed: ECDSA secp256k1, Ed25519, Keccak-256, threshold-ECDSA MPC
Burn-vs-rescue policy on file
Declared option f, Undeclared. No published Metis Foundation position on what happens to ECDSA-signed assets, MPC-signed batches, or Ed25519-signed Tendermint state in a post-Shor world. Neither freeze, STARK rescue, hybrid client-layer migration, rate-limit, nor optional migration has been articulated.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 21 / 100
Public sequencer-resources registry schema requires 128-hex-character public key after stripping 04 prefix, uncompressed secp256k1. MPC protocol name (GG20, CGGMP21, DKLS, or other threshold-ECDSA construction) is not publicly disclosed.
ECDSA secp256k1 (sequencer registration, uncompressed; EOAs) · Keccak-256 (EVM hashing) · Ed25519 (Tendermint default consensus signing) · MPC threshold-ECDSA (unspecified protocol; L1 batch submission) ECDSA secp256k1→ Shor-break-via-DL-without-pairingsEd25519 (Tendermint default)→ Shor-break-via-DL-without-pairingsKeccak-256→ Grover-weaken (256→128)MPC threshold-ECDSA (unspecified protocol)→ Shor-break-via-DL-without-pairings (inherits ECDSA hardness assumption)
0 PQ families deployed. Classical-only: ECC + Curve25519 via Ed25519 + Keccak-256.
No NIST PQC primitives deployed in any Metis subsystem (Andromeda or Hyperion).
Andromeda is a fork of the Optimistic Ethereum protocol. Cryptographic libraries inherit from go-ethereum and OP Stack; Tendermint Ed25519 follows Cosmos SDK upstream. The MPC module's protocol, library provenance, and audit history not publicly documented at primitive granularity. Fraud-proof system carries documented permissioned-collusion risk.
2 Quantum Recovery Exposure weight 8% 22 / 100
EVM-equivalent EOA model; pubkeys revealed at first spend. Andromeda mainnet live since November 2021 (~4.5 years). Sequencer addresses register full uncompressed secp256k1 pubkeys publicly.
Andromeda mainnet has accumulated cold EOAs since November 2021. Cold pubkeys remain hashed (Keccak of pubkey is the address); risk activates only post-spend.
Historical ECDSA signatures on Andromeda forgeable post-Shor. MPC-signed batches submitted to L1 ECDSA-derived. CometBFT consensus uses Ed25519 votes (Shor-broken via DL on Curve25519).
Validator and sequencer P2P transport, RPC endpoints (Metis RPC, Ankr, QuickNode), and operator-to-L1 submission paths use classical TLS. No declared hybrid-KEM transport in any indexed Metis source.
3 Metadata, Anonymity & Confidentiality weight 8% 24 / 100
Pseudonymous EVM, transparent ledger, full graph linkable via Andromeda block explorer.
Decentralized sequencer pool design genuinely distributes block production across registered sequencer operators (Artemis Finance, Enki Protocol, plus subsequent additions). Real distribution improvement over single-sequencer L2s, but the set is permissioned. Top-3 RPC providers concentrate retail traffic. Validator metadata retention undeclared.
Andromeda canonical bridge to Ethereum plus LayerZero and Connext. Source/dest correlation observable. Sequencer rotation events published on-chain.
No native privacy layer on Andromeda or Hyperion. Baseline EVM. Shor on secp256k1 exposes signed-history attribution but no encrypted payloads at L2 beyond TLS in transit.
None at protocol level on Andromeda. Hyperion documentation describes MEV-Resistant Ordering with Encrypted mempools & PBS as a planned feature, but unspecified and pre-mainnet.
4 Migration Architecture weight 15% 43 / 100
Andromeda has shipped multiple coordinated upgrades since 2021. Decentralized-sequencer rollout (March 2024) and subsequent sequencer-mining phase 2 (April 2024). Tendermint-based sequencer consensus in principle allows protocol-level signature changes coordinated through registered sequencer set without forcing user re-keying. ReGenesis (announced November 2025) restructures Andromeda + Hyperion + LazAI + ZKM + GOAT.
Andromeda is EVM-equivalent and inherits ERC-4337 from upstream Ethereum ecosystem. EIP-7702 inheritance status from Pectra hardfork (mainnet 2025-05-07) not explicitly confirmed for Andromeda. AA-only without documented PQ client path.
Coordinated upgrades documented across 2024-2025 including March 2024 decentralized-sequencer rollout (alpha, then phase 1, then phase 2 sequencer-mining), August 2025 Hyperion testnet launch, November 2025 ReGenesis architectural overhaul. No contested forks documented.
No hybrid PQC composition (AND or OR) documented anywhere in Metis stack. The MPC module gives operational experience with multi-party signing schemes, relevant background for eventual threshold PQ signatures, but is built on Shor-vulnerable threshold ECDSA.
N/A by default, no stateful hash schemes (XMSS, LMS) in scope.
Tendermint consensus running on Andromeda decentralized sequencer pool uses upstream Cosmos SDK Ed25519 signing per Tendermint defaults; no BLS aggregation in Metis-specific architecture. L1 batch submission signed by MPC module (threshold-ECDSA, unspecified protocol). No PQ-aggregation path declared.
5 Deployment Execution weight 22% 15 / 100
Zero PQC signing on Andromeda mainnet. All sequencer signatures, MPC L1 submissions, and EOA transactions use classical primitives. Hyperion is on testnet and likewise does not deploy PQ primitives.
No PQC code merged in mvm, metis-sdk, metis-sequencer-resources, or other MetisProtocol public repositories per repository scan via the GitHub organization listing.
Sequencer registry schema requires 128-hex-character (uncompressed secp256k1) public key; no PQ key field exists. Tendermint validator keys default to Ed25519.
VOIDED per v3.1 because 5a = 0. The published 2025/2026 roadmap covers Hyperion mainnet, ReGenesis, and AI/LazAI; PQC is not named.
Announced PQC trailing 12 months: 0. Shipped PQC: 0. No washing. Honest absence rather than narrative-only. Full credit.
No PQ scheme selected; no published bytes-per-block analysis.
6 Supply Chain Vendor Readiness weight 25% 9 / 100
Top-3 by Andromeda usage: MetaMask, Rabby, Trust Wallet. None has shipped PQC signing in production firmware/extension; no public PQC roadmap from any of the three.
Top-3: Metis canonical bridge, LayerZero, Connext. LayerZero has expressed PQ-readiness intent in general industry discussion but has not shipped PQ code.
Top-3 by Andromeda METIS holdings: Fireblocks, BitGo, Coinbase Custody. Coinbase has published PQ research direction; Fireblocks and BitGo: no shipped PQC roadmap for Metis keys.
Top-3 RPC: Metis RPC (foundation-operated), Ankr, QuickNode. No published PQC TLS/transport roadmap. HSMs and TEE attestation: no Metis-specific PQ readiness declared.
7 Governance & Coordination weight 10% 30 / 100
Permissioned decentralized sequencer pool with multiple registered operators (Artemis Finance, Enki Protocol, plus expanded). Tendermint consensus runs across registered sequencer set. Real distribution improvement over single-sequencer L2s, but set is permissioned (not permissionless), and MPC infrastructure documented as off-chain and not trustless.
Multiple coordinated upgrades shipped 2024-2025: decentralized sequencer alpha (March 2024), sequencer-mining phase 2 (April 2024), Hyperion testnet (August 2025), ReGenesis architectural overhaul (November 2025). No contested or stalled upgrades. No PQ-specific upgrade required, so no precedent for crypto-primitive change under deadline pressure.
MetisDAO Foundation; co-founders publicly identified as foundation leadership. No named PQC working group, lead engineer, or published PQ mandate. The foundation's published agenda centers on AI (Hyperion, LazAI) and ecosystem growth; PQC is not named.
Decentralized-sequencer rollout itself is a coordinated response to L2 single-sequencer centralization concern. No precedent for cryptographic-primitive change under active-attacker pressure. Fraud-proof system carries documented permissioned-collusion risk which has not been exercised adversarially.
No PQC tripwire, honeypot, or rate-limited spending rule declared.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
X+Y midpoint ~2046, Outside risk window (vs Z25 2035); Crisis Zone (vs Z10 2030)
Z-compliance
Outside compliance window, NIST IR 8547 disallows quantum-vulnerable PK by 2035; no Metis sunset commitment
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
Metis Foundation describes the decentralized-sequencer architecture as production-grade; the independent rollup-stage tracker classifies Andromeda as not even Stage 0 with critical permissioned dependencies (GameCreator/StateDeleter collusion path; permissioned MVM_Fraud_Verifier; off-chain MPC infrastructure described as not trustless).
MPC threshold-ECDSA scheme is described in foundation materials as MPC for sequencer coordination without naming the underlying protocol. No Metis-specific disclosure of GG20, CGGMP21, DKLS, Lindell, or other named threshold-ECDSA constructions. Primary primitive-level disclosure gap.
Delta-QRI under alternative weighting
+3, alternative-weighting that prioritized Dim 4 (architecture) over Dim 5 (deployment), recognizing Metis's MPC + Tendermint experience as transferable to threshold-PQ, would lift Metis's QRI to ~15.
Announcement-to-shipped ratio
Announced: 0. Shipped: 0. Ratio: 0.
Tag: none, no foundation post, blog, tweet, or technical document mentions post-quantum cryptography in any indexed source. Honest absence rather than narrative-only.
Peers in the rollup-L2 profile
9 chains closest to Metis by Stage then QRI.