Inventory well-documented and specific.

Every signature-bearing primitive in the live stack and approved successor stack is Shor-vulnerable. No PQ-safe primitive is in protocol use.

Families in active core protocol: 0 PQ families (Ed25519/BLS12-381 both classical-DL/pairing). The Solana Winternitz Vault deploys hash-based family on mainnet as opt-in third-party Solana program, not native, not core, app-level only. Anza and Firedancer have published initial lattice (Falcon) implementations in their GitHub repositories as of January 2026; not deployed. Counting only protocol-level live PQ families, total is 0. We score 5 to credit the opt-in hash-based program without inflating to 'hash-only mainnet'.

Ed25519 → 128-bit classical, 0 NIST-PQC category; BLS12-381 → ~128-bit classical, 0 NIST-PQC; SHA-256 → ~128-bit post-quantum (Grover-weaken). No NIST PQC scheme is mapped at protocol level. Falcon (FN-DSA) is referenced in client implementations but not deployed.

Ed25519 implementations in Agave (ed25519-dalek, Rust) and Firedancer (C/C++) are constant-time per upstream library convention; no machine-checked formal verification of validator-client signing path published; Keccak-256 syscall well-tested in production; BLS12-381 introduced via Alpenglow inherits standard production libraries; no published cryptanalytic-tier audit chain specific to Solana clients. Cryptanalytic maturity tier 1 (classical ECC + SHA-2).

100% of Solana accounts use the Ed25519 public key directly as the 32-byte address (no hash wrapper). Every account that has ever received or sent funds has its full public key on-chain by definition. There is no P2PKH-equivalent protection. Full TVL is post-Shor forgeable.

Same exposure profile as 2a, there is no architectural distinction between 'moved' and 'unmoved' coins; the public key is the address whether the account has signed once or never. Lost / dormant SOL is fully exposed.

Solana transactions are typically single-purpose authorizations rather than long-lived contractual artifacts. Historical signature replay does not create new spend authority because nonce/recent-blockhash binding expires. Long-term forgery risk concentrates on key-not-rotated accounts (very common) rather than on stored signatures.

Validator gossip (UDP-based Turbine, Gossip), QUIC (TLS 1.3) for transaction submission, and HTTPS RPC endpoints at top providers all use classical X25519 / RSA / ECDH key exchange. No hybrid PQ KEM declared in the validator stack or RPC layer. No mempool encryption of public-mempool content (mempool is public). HNDL surface is bounded but undeclared.

Pseudonymous, fully transparent. Every transaction, account, and program interaction is publicly readable from any RPC node or block explorer. No protocol-level shielding.

RPC layer is concentrated among Helius, QuickNode, Triton One. No public per-provider stake-weighted percentages are foundation-published. Mempool is observable via leader-schedule TPU forwarding (no encrypted mempool). Validator metadata retention policies are not protocol-mandated.

Wormhole, deBridge, and the legacy Portal flow expose source-to-destination transactions in the clear. Passive observers can link cross-chain flows trivially because both sides are public.

Because the chain is already pseudonymous-transparent, a Shor break does not expose meaningfully more than is already public. Retroactive privacy regression is small relative to chains with on-chain encrypted state.

No protocol-level mixnet, shuffle, or commit-reveal at consensus. Application-layer privacy tools (Light Protocol compressed accounts, Elusiv historically, defunct since 2024) do not score here for protocol-level credit.

Ed25519 is hard-coded in the protocol; adding a new signature type requires a SIMD + validator-client upgrade + feature gate. Alpenglow (SIMD-0326, approved September 2025 governance vote) demonstrates the chain can change consensus signatures (Ed25519 votes → BLS12-381 aggregates), establishing one production-track example of signature-scheme switch. No general-purpose signature-algorithm switch primitive at the account layer.

Solana has no native account abstraction in the EIP-7702 sense. Program-Derived Addresses (PDAs) provide program-controlled signing but do not provide arbitrary user-key rotation under a stable address. New signature schemes for users would require a new address format. Client-layer Falcon implementations in Anza and Firedancer GitHub repos are research-stage, not deployed.

Coordinated upgrades via feature gates and SIMDs in last 3 years. History of network outages 2022-2023 is operational, not governance. Recent governance has been tractable (Alpenglow approved by stake-weighted referendum).

Transaction size constraints (raised toward 4,096 bytes per recent SIMD work) accommodate larger signatures. No published hybrid-envelope spec. Phantom and Ledger reportedly host developer builds with dual Ed25519 + Dilithium keypairs (referenced in third-party coverage), but no foundation-confirmed dual-signature wallet path on mainnet.

Falcon (announced target) is stateless (full credit by default per v3.1 rule). The Winternitz Vault is stateful one-time but app-level and out of consensus scope.

Solana under Alpenglow (SIMD-0326, approved September 2025) introduces BLS12-381 aggregate consensus signatures via Votor. This brings Solana into Dim 4 4f scope. No PQ-safe successor for the aggregation path is declared (no hash-based + SNARK pathway, no MPC consensus alternative, no staged-PQ-checkpoint declaration). The Falcon roadmap (announced 2026-04-27) addresses account-level signing, not consensus aggregation.

Mainnet PQC %: <0.1%. The Solana Winternitz Vault (Blueshift) is deployed on mainnet as an opt-in third-party program; Google Quantum AI cited it in 2025 as an example of a deployed quantum-resistant primitive on a major chain. Volume is a tiny fraction of Solana's tx flow. No protocol-level PQC traffic.

Anza and Firedancer have committed initial Falcon implementations to GitHub since at least 2026-01-27. Code is present but not enabled, not behind a live feature gate, not running in mainnet consensus.

0% of stake operates a PQC validator key. All validator votes are Ed25519 today; under Alpenglow, BLS12-381.

The 2026-04-27 Solana Foundation post outlines a three-phase plan but publishes no dated milestones and explicitly states 'no change is required today or likely anytime soon.' Per v3.1 rule 5d is voided to 0 because 5a = ~0.

Trailing 12-month announcement count (foundation post + two-team Falcon convergence + Project Eleven testnet partnership + Winternitz Vault citation by Google Quantum AI ≈ 4 announced items). Shipped on mainnet under named primitive: 1 (Winternitz Vault, opt-in, low volume). Ratio ≈ 4/1. Above the 1.5 threshold (10pt deduction); below the 2.0 threshold (QRI cap 65).

Ed25519 signatures are 64 bytes. Falcon-512 signatures are ~666 bytes (~10× Ed25519); Falcon public keys are 897 bytes (~28× Ed25519 public key). ML-DSA at 2,560-byte signatures (~40× Ed25519) and SLH-DSA at 7,856 bytes (~123× Ed25519). Project Eleven testnet experiments reportedly observed PQ signatures '20-40× heavier' than current signatures. Reference falls into 5-10× band for Falcon-only; 10-38× for ML-DSA. Score 10 (5-10× midband) anchored to the announced primary candidate Falcon.

Top-3: Phantom, Solflare, Backpack. Third-party coverage cites Phantom and Ledger 'developer builds' with dual Ed25519 + Dilithium keypairs; not foundation-confirmed and not on the official Phantom roadmap page. Solflare and Backpack: no published PQC roadmap. Ledger has stated PQC research interest but no production Solana Falcon support.

Top-3: Wormhole, deBridge, Portal/Allbridge. No published PQC roadmaps from any. Bridge classical-ECDSA / Ed25519 signing is unchanged.

Top-3 by visible Solana flow: Coinbase Custody, Fireblocks, BitGo. Fireblocks has published PQC research material; no production PQC custody for Solana. Coinbase Custody and BitGo: no Solana-specific PQC roadmap.

Top-3 RPC: Helius, QuickNode, Triton One, no PQC roadmaps. HSM vendors (Ledger HSM, Thales) and TEE attestation chains used in MEV / oracle paths: no Solana-specific PQC declarations.

Nakamoto coefficient ≈ 20 (held stable through 2025-2026 per third-party trackers). Client diversity has improved: Agave/Jito-Agave family, Frankendancer (Firedancer networking + Agave runtime), full Firedancer (C/C++) live mainnet December 2025, Sig (Zig, Syndica, reads-optimized). Largest single client family (Agave-derived Jito) commands a large share, concentration risk persists.

Recovered from 2022-2023 outages, executed feature gates routinely, and ratified Alpenglow via stake-weighted referendum in September 2025.

Solana Foundation + Anza (the Solana Labs successor entity) + Firedancer (Jump Crypto) co-coordinate. The 2026-04-27 quantum-readiness post is foundation-published with both teams aligned on Falcon. No single named PQC working-group lead with a published mandate.

Post-FTX recovery (2022) and validator-coordination across multiple outages demonstrate pressure-response. No PQC-specific adversarial coordination test.

No published canary, honeypot, or rate-limited spending rule for quantum compromise. Project Eleven Q-Day prize is an industry-wide bounty, not a Solana-embedded tripwire.