OASIS NETWORK · privacy-L2 · QRI 13 · BAND 2 Acknowledged Hybrid FAIL · Stage 0 · Washing 1x

Oasis sells privacy via Intel SGX, not via cryptography. That feels reassuring right up to the moment you notice the attestation itself is ECDSA. Break the attestation, forge the enclave, and the historical sealed state is no longer sealed by anyone you can verify.

inLinkedIn XPost ▼Scorecard JSON ⇆Compare Verified 2026-04-18

Summary

Oasis Network treated as privacy-L2 (TEE-based privacy via Sapphire + ROFL). Band 2 (Acknowledged). Unique exposure profile: privacy rests on Intel SGX attestation (ECDSA) rather than crypto primitives. Quantum break of ECDSA forges attestations, potentially unsealing historical confidential state. Zero PQC work. EU DAC8 (Jan 2026) creates demand but no PQC response.

What the gates say

Hybrid: FAIL. No hybrid plan on file.
Evidence: PASS. Sources reconstructable by third party.
Primitive naming: PASS. Named primitives at every scored sub-level.

Burn-vs-rescue policy on file

undeclared

Seven dimensions

Each dimension scores 0-100 internally; the weighted roll-up produces the QRI on the left. Open a row to read the sub-score detail.

1 Cryptographic Exposure 30 / 100

1a_primitive_inventory 12 / 20

TEE-based privacy is non-crypto — SGX attestation uses RSA/ECDSA.

Primitives: Ed25519 (consensus + tx) · SHA-512 · Intel SGX attestation (ParaTime TEE)

Evidence: Oasis docs

1b_shor_grover_pq_tag 12 / 20

1c_algorithm_family_diversity 0 / 20

1d_nist_security_category 0 / 20

1e_implementation_quality 6 / 20

Evidence: github.com

2 HNDL Exposure 20 / 100

2a_active_key 3 / 20

Ed25519 pubkey exposed.

2b_cold_key 3 / 20

Same.

2c_sig_long_term 7 / 20

Tx-once.

2d_encryption_conf 7 / 20

SGX-based confidential compute — if SGX cracked OR underlying attestation ECDSA broken, historical sealed data is at risk.

3 Metadata & Privacy Exposure 45 / 100

3a_graph_visibility 15 / 20

Sapphire confidential EVM conceals tx-level state but not tx graph at consensus layer. Metadata (sender/receiver/amount) visible depending on Sapphire vs Cipher ParaTime.

3b_rpc_concentration 10 / 20

Oasis Foundation-operated RPC heavy.

3c_bridge_correlation 10 / 20

Bridges to Ethereum; correlation possible at bridge endpoints.

3d_retroactive_deanon 10 / 20

TEE privacy is different profile — confidentiality rests on SGX seal keys + attestation. If ECDSA attestation breaks, historical attestations forgeable; sealed state potentially reconstructable. Lower than pure-crypto privacy but non-trivial.

4 Migration Architecture 25 / 100

4a_crypto_agility 5 / 20

ParaTime modular but core Ed25519 fixed.

4b_aa_key_rotation 7 / 20

Standard Cosmos/Oasis keys.

4c_hard_fork_track_record 8 / 20

Multiple upgrades since 2020.

4d_hybrid_deployment_readiness 5 / 20

ParaTime could host PQC ParaTime in theory.

5 Deployment Execution 0 / 100

5a_mainnet_pqc_pct 0 / 20

5b_pqc_code_in_consensus 0 / 20

5c_validator_pqc_keys 0 / 20

5d_published_milestones 0 / 20

5e_pqc_washing_delta 0 / 20

6 Supply Chain Vendor Readiness 5 / 100

6a_wallet 2 / 20

6b_bridge 1 / 20

6c_custodian 1 / 20

6d_rpc_hsm 1 / 20

7 Governance & Coordination 30 / 100

7a_validator_stake_distribution 5 / 20

~120 validators.

7b_upgrade_cadence_under_pressure 8 / 20

Sapphire, ROFL AI rollouts.

7c_named_coordination_lead 10 / 20

Oasis Foundation (UC Berkeley founders).

7d_adversarial_coordination_precedent 7 / 20

No PQC or SGX-break precedent.

The X + Y vs Z inequality

X (data shelf life): 10-20 (confidential state shelf-life infinite if SGX sealed)

Y (migration time): 10-15

Z10 (10% CRQC year): 2036 · Z50 (50%): 2041

Verdict: X+Y > Z (danger).

Four-scenario grid

Scenario	Value preserved	Privacy preserved
quantum never	100%	100%
arrives suddenly pre migration	5%	20%
arrives slowly post migration	78%	55%
arrives slowly mid migration	30%	30%

Peers in the privacy-L2 profile

Order-book view of the 5 chains closest to Oasis Network by QRI.

Public artifacts used for this scorecard

Each entry below is a sub-score citation. Clicking the link takes you to the public source. A third party should be able to reconstruct every number on this page from these URLs in 48 hours.

Cryptographic Exposure · 1a_primitive_inventory

TEE-based privacy is non-crypto — SGX attestation uses RSA/ECDSA.

Oasis docs

Cryptographic Exposure · 1e_implementation_quality

https://github.com/oasisprotocol/oasis-core

Supply chain snapshot

wallet Oasis Wallet · MetaMask (Sapphire) · Keplr 0 PQC roadmaps

bridge Oasis Bridge · Wormhole · Celer 0 PQC roadmaps

custodian Coinbase Custody · BitGo · Fireblocks 0 PQC roadmaps

rpc_hsm Oasis RPC · Figment · Ankr 0 PQC roadmaps

A chain's supply chain cannot migrate faster than its slowest dependency. Zero PQC roadmaps in any of the four categories is a structural blocker, not a lagging indicator.

Analyst notes on the scoring

TEE-privacy retroactive-deanon profile is different from zk-privacy: SGX seal keys themselves are independent of Shor. However, SGX attestation relies on ECDSA/RSA which Shor breaks, allowing forged attestations — less severe than a ring-signature Shor-break but still material. Scored 3d=10/25.

Scorecard metadata

Profile: privacy-L2
Scored: 2026-04-18 by layerqu-v2-scoring-agent-4
v1 reference: chainscreen-v1-archive
QRI raw: 15 · after caps: 13
Confidence interval: ±15
PQC washing ratio: 1x
Burn-vs-rescue: undeclared

Caps triggered

Mosca (5a<20%)
Sutor (5d=0)
Preskill (<3 artifacts several dims)
Casado
Hybrid gate FAIL → QRI cap 60