What it is. This is a fast Ethereum side-network that its operator is shutting down, with transactions ending in July 2026 and the window to pull your money back to Ethereum closing at the end of 2027.
What we found. It often gets called quantum-proof because of how it packages its math, but the final receipt it files on Ethereum uses the old kind of cryptography a quantum computer could break, and there is no time left to fix that before the network closes.
Why it matters. Anyone with funds here should move them to Ethereum well before the deadlines, and the bigger worry is that the permanent record of past activity already filed on Ethereum could one day be forged by a future quantum computer.
Rollup-L2 in announced sunset (Polygon Labs forum, 2025-06-11). Sequencer scheduled to stop 2026-07-01; bridge claim window closes 2027-12-31. The eSTARK inner prover is FRI-based and PQ-conjectured, but the recursion-final wrap is a Groth16/FFLONK SNARK over BN254, Shor-vulnerable at the L1 settlement path. No PQ migration is plausible inside the sunset window.
Summary
Polygon zkEVM is a rollup-L2 in announced sunset (Polygon Labs forum, 2025-06-11). The sequencer is scheduled to stop 2026-07-01; the bridge claim window closes 2027-12-31. As of 2026-05-01 the chain is operational with TVS ~$9.6M per L2BEAT. User signing inherits Ethereum's ECDSA secp256k1 + Keccak-256. The proof stack uses a FRI-based eSTARK inner prover (Poseidon hash, Goldilocks-class field, PQ-conjectured) but wraps to a Groth16/FFLONK SNARK over BN254 for on-chain verification on Ethereum L1, which is Shor-vulnerable; the popular framing of STARK-based therefore PQ-safe is wrong for the L1 settlement path. Migration Stage: 0 (Unaware in operational sense; sunset before migration). Raw QRI: 19. After-cap QRI: 19 (caps non-binding because raw is below cap ceilings). Confidence interval: plus-minus 12. Band: 2 Acknowledged. Key uncertainties: (a) prover-stack identity in popular sources mis-tags the chain as STARK-based without the BN254-wrap caveat; (b) historical Groth16-over-BN254 validity proofs lose retroactive soundness post-Shor regardless of the sunset; (c) no PQ migration is plausible inside the sunset window.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition for user signing or operator submission
- Gate 1a, Hybrid KEM: FAIL , no documented hybrid KEM composition for any encryption surface
- Gate 1b, Commit-to-hash: COND , no OR-composition declared
- Gate 2, Evidence reconstruction: PASS , every sub-score reconstructible from public artifacts
- Gate 3, Primitive naming: PASS , every primitive named: ECDSA secp256k1, Keccak-256, BN254, Groth16, FFLONK, Plonky2, Plonky3, FRI, Poseidon, eSTARK
Burn-vs-rescue policy on file
Declared option f, Forced exit + L1 claim (analogue of rate-limited canary, but a chain-wind-down plan). Forced-tx escape hatch was made permanent at sunset announcement (2025-06-11); after sequencer stop 2026-07-01 a structured claim interface allows L1 recovery of bridged assets through 2027-12-31. This is not a PQ-recovery plan, it is a chain-wind-down plan that happens to make PQ recovery moot for live value. Historical chain history is undeclared for any PQ-recovery, retro-proof-rewrap, or freeze policy.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 28 / 100
Polygon Labs July 2024 Plonky3 announcement frames Plonky3 as toolkit for builders, NOT as Polygon zkEVM Mainnet Beta deployment; mainnet prover is Hermez-derived eSTARK-then-SNARK pipeline.
ECDSA secp256k1 (EOA signatures, inherited from Ethereum) · Keccak-256 (hashing, Merkle-Patricia tries, address derivation) · eSTARK / FRI (inner prover; hash-based polynomial commitment over Goldilocks-class field with Poseidon hash) · Groth16 over BN254 (on-chain verifier on Ethereum, EIP-196/197 precompiles) · FFLONK over BN254 (proof-wrapping/aggregation in Hermez 2.0 era) · Poseidon (hash inside FRI) ECDSA secp256k1→ Shor-break-via-DL-without-pairingsKeccak-256→ Grover-weaken (256→128-bit)BN254 pairing (on-chain SNARK verifier)→ Shor-break-via-pairingsGroth16 over BN254→ Shor-break-via-pairingsFFLONK final-wrap (KZG-style over BN254)→ Shor-break-via-pairingseSTARK / FRI inner-prover→ PQ-conjectured (FRI relies only on hash collision-resistance)SHA-256 / Keccak (L1 settlement)→ Grover-weaken
0 PQ families deployed on user-signing or L1-verification path. The FRI-based eSTARK inner prover is PQ-conjectured but is wrapped to a BN254 SNARK before L1 verification.
No NIST FIPS 203/204/205 PQC primitive deployed. No public NIST-category mapping in Polygon's documentation.
zkProver and Hermez circuits audited by external firms during deployment phases; no machine-checked formal proofs published. Standard go-ethereum / libsecp256k1 wrappers. Cryptanalytic tier: tier 1 for ECDSA/Keccak/SHA-2; tier 2 for BN254 pairing; tier 4 for Poseidon. With sunset announced, BLS12-381 migration is not plausible.
2 Quantum Recovery Exposure weight 8% 19 / 100
EOAs use ECDSA secp256k1; pubkey revealed on first tx. Sequencer stop 2026-07-01 bounds active-exposure window to ~2 months.
Mainnet beta live since 2023-03-27 (~37 months). After 2026-07-01 the L1 escape hatch is the only recovery path; claim window closes 2027-12-31.
Sequencer batch-poster ECDSA signatures and the historical record of Groth16/FFLONK validity proofs already posted to Ethereum L1 are forgeable post-Shor. A CRQC can construct fake proofs that pass the historic verifier, undermining retroactive soundness.
Sequencer endpoints and public RPC use standard TLS (X25519/P-256 ECDHE + AES-GCM). No documented hybrid PQ KEM.
3 Metadata, Anonymity & Confidentiality weight 8% 15 / 100
Pseudonymous transparent EVM ledger; full transaction graph public via standard block explorers.
Polygon Labs operates the single sequencer and single aggregator for Mainnet Beta (Nakamoto coefficient = 1). Public RPC concentrated. Forced-tx escape hatch permanently enabled at sunset announcement (2025-06-11).
Canonical Polygon zkEVM Bridge. Third-party bridges (LayerZero, Stargate, Hop). Post-sunset migration funnels remaining value through ui.agglayer.dev to L1.
ECDSA Shor-breaks address pseudonymity. Validity proof rests on pairing-hard assumptions; CRQC can re-prove arbitrary historical state transitions that the L1 verifier still treats as valid.
No on-chain mixer integrated.
4 Migration Architecture weight 15% 40 / 100
EVM-equivalent and inherits Ethereum precompiles but no documented mechanism to swap on-chain SNARK verifier (Groth16-over-BN254) without hard fork. Chain in announced sunset.
Supports ERC-4337. EIP-7702 inheritance from Pectra is in principle inheritable but not documented as activated. With sunset announced, upgrade window has effectively closed.
Multiple coordinated upgrades during operational life (Etrog, Elderberry, Feijoa). Sunset decision was unilateral Polygon Labs determination rather than DAO vote.
ERC-4337 + EVM-equivalence make hybrid signature paths theoretically constructible but no spec, prototype, or audit. Sunset trajectory removes practical incentive.
Default-pass per v3.1 rule (no stateful hash scheme).
N/A, centralized-sequencer rollup; no permissionless BFT consensus with BLS aggregation at L2.
5 Deployment Execution weight 22% 14 / 100
Zero PQ signatures observed. No PQ KEM in TLS termination documented. On-chain validity-proof verifier is Groth16 over BN254.
Greps of 0xPolygon/zkevm-node, 0xPolygonHermez, 0xPolygonZero return no ML-DSA, ML-KEM, SLH-DSA, Falcon, XMSS, or SPHINCS+ implementations in zkEVM operator/aggregator path. Plonky2/Plonky3 code exists in 0xPolygonZero repos but is Type-1 prover research line, not deployed in Mainnet Beta.
No permissionless validators on Polygon zkEVM Mainnet Beta, sequencer and aggregator operated solely by Polygon Labs. Operator keys are ECDSA secp256k1.
VOIDED to 0 per v3.1 (5a = 0). Only chain-wide dated milestones are sunset milestones (2025-06-11, 2026-07-01, 2027-12-31).
Trailing 12mo Polygon zkEVM scope: 0 PQC announcements. Shipped 0. Plonky3 production-readiness announcement (2024-07) is PQ-adjacent but explicitly framed as toolkit. Conservative half-point deduction reflects general-purpose blog cadence around Plonky3.
Voided per Gate 2, no PQ signature deployed.
6 Supply Chain Vendor Readiness weight 25% 5 / 100
Top-3: MetaMask, Rabby, Coinbase Wallet (plus Trezor/Ledger). None has shipped PQ signature support to mainnet.
Top: canonical Polygon zkEVM Bridge, LayerZero, Stargate, Hop. No PQ roadmap. Bridge migration through ui.agglayer.dev.
Top-3: Coinbase Custody, Fireblocks, BitGo, Anchorage. No public PQC roadmap mainnet-deployed for Polygon zkEVM signing.
Top RPC: Alchemy, Infura, QuickNode, Ankr. HSMs: AWS KMS, Thales, YubiHSM, Ledger HSM. No PQ TLS in production at any of these endpoints for Polygon zkEVM.
7 Governance & Coordination weight 10% 28 / 100
Single sequencer + single aggregator at Polygon Labs (Nakamoto coefficient = 1 for both). Single-stack client diversity.
Multiple coordinated upgrades during operational life (Etrog, Elderberry, Feijoa). Sunset coordination executed cleanly. Decisions unilateral Polygon Labs determinations rather than community-vote-based.
Polygon Labs is named coordination authority. Sandeep Nailwal named CEO. No PQ-specific coordination lead.
No PQC-specific event. Non-PQ incidents (sequencer downtime, prover bugs) handled under unilateral Polygon Labs operator response.
No PQ-canary, no rate-limit tripwire, no consensus-embedded cryptographic tripwire.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
Sunset before migration, chain ends before Z10/Z25 anchors apply; retroactive soundness exposure of historical L1 validity proofs remains
Z-compliance
Sunset before NIST 2030/2035 deadlines but historical L1-posted Groth16 proofs lose retroactive soundness post-Shor
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
Some general-audience explainers describe Polygon zkEVM as STARK-based and conclude the chain is therefore post-quantum safe. This is misleading: the inner prover is FRI-based (PQ-conjectured), but the recursion-final SNARK posted to Ethereum L1 is Groth16/FFLONK over BN254 (Shor-vulnerable).
Some external coverage conflates Plonky3's production-readiness (toolkit, July 2024) with deployment in Polygon zkEVM Mainnet Beta. Polygon Labs explicit framing: Plonky3 is a toolkit; the zkEVM mainnet prover is the Hermez eSTARK pipeline.
Delta-QRI under alternative weighting
Re-weighting that gives more credit to FRI-based inner prover is PQ-conjectured (e.g., +5 to Dim 1 1c) lifts raw QRI by ~0.6. Even under aggressive alternative weighting the chain remains in Band 2.
Announcement-to-shipped ratio
Announced: 0. Shipped: 0. Ratio: 0.
Tag: none, Polygon Labs has not promised PQ on Polygon zkEVM and has not shipped PQ on Polygon zkEVM. The Plonky3 production-readiness announcement (2024-07) is for the prover toolkit, not for Polygon zkEVM mainnet.
Peers in the rollup-L2 profile
9 chains closest to Polygon zkEVM by Stage then QRI.