SOLANA · L1 · QRI 20 · BAND 2 Acknowledged Hybrid FAIL · Stage 1 · Washing 1.2x

Solana's problem is structural and simple: the public key is the address. 100% of accounts fully exposed on first view, no hash wrapper. Project Eleven is testnet, Winternitz Vault is community opt-in, Helius itself says 'wait for efficient PQC schemes'. Nakamoto 31 does not save Ed25519.

inLinkedIn XPost ▼Scorecard JSON ⇆Compare Verified 2026-04-18

Summary

Solana is Band 2 (Acknowledged). Ed25519 + BLS tower BFT are fully quantum-exposed — 100% of accounts have pubkey = address, no hash protection. Project Eleven testnet partnership shows awareness; Winternitz Vault on mainnet is community-only and opt-in. No protocol-level PQC, no hybrid envelope, no published dated roadmap. Helius analysis suggests 'wait for efficient PQC schemes'. Mosca X+Y (15-25y) > Z50 (15y) = danger zone.

What the gates say

Hybrid: FAIL. No hybrid plan on file.
Evidence: PASS. Sources reconstructable by third party.
Primitive naming: PASS. Named primitives at every scored sub-level.

Burn-vs-rescue policy on file

undeclared

Seven dimensions

Each dimension scores 0-100 internally; the weighted roll-up produces the QRI on the left. Open a row to read the sub-score detail.

1 Cryptographic Exposure 38 / 100

1a_primitive_inventory 15 / 20

Good inventory from v1. BLS usage in tower BFT named by agent context.

Primitives: Ed25519 (EdDSA over Curve25519) · SHA-256 (Proof of History) · Keccak-256 (programs) · BLS (tower BFT)

Evidence: helius.dev · solana.com

1b_shor_grover_pq_tag 15 / 20

Evidence: helius.dev

1c_algorithm_family_diversity 2 / 20

Community Winternitz Vault is opt-in, not core. Zero families in core.

1d_nist_security_category 4 / 20

No NIST PQC category mapped — no PQC scheme in core.

1e_implementation_quality 10 / 20

Evidence: github.com

2 HNDL Exposure 22 / 100

2a_active_key 4 / 20

100% of Solana accounts have Ed25519 pubkey = address. No hash protection. Full TVL quantum-exposed.

Evidence: solana.com

2b_cold_key 4 / 20

100% exposed (same as active). No distinction between cold/hot.

2c_sig_long_term 8 / 20

Tx-once-and-done for most use cases. Lower long-term forgery risk than Bitcoin.

2d_encryption_conf 6 / 20

Validator gossip uses TLS (RSA/ECDH). Undeclared PQC migration for RPC.

3 Metadata & Privacy Exposure 32 / 100

3a_graph_visibility 5 / 20

Pseudonymous, fully transparent transaction graph.

3b_rpc_concentration 8 / 20

Helius, QuickNode, Triton dominate RPC. High concentration.

Evidence: Public RPC provider data

3c_bridge_correlation 10 / 20

Wormhole, Portal, deBridge all visible. Full correlation.

3d_retroactive_deanon 9 / 20

Low additional retroactive risk — already transparent.

4 Migration Architecture 20 / 100

4a_crypto_agility 5 / 20

Fixed Ed25519 at protocol level. Adding new signature types requires SIMD + validator upgrade.

Evidence: quantumcanary.org

4b_aa_key_rotation 4 / 20

No native AA. PDAs provide program-level flexibility only.

4c_hard_fork_track_record 6 / 20

Feature gates + SIMD process. 16 months uptime. History of outages (2022-2023) flags coordination concerns.

4d_hybrid_deployment_readiness 5 / 20

Transaction size limit raised to 4,096 bytes (2026) accommodates larger sigs. No hybrid envelope deployed.

5 Deployment Execution 10 / 100

5a_mainnet_pqc_pct 1 / 20

Winternitz Vault deployed on mainnet (community, opt-in, hash-based OTS). Usage <0.1% of tx volume.

Evidence: github.com

5b_pqc_code_in_consensus 0 / 20

No PQC in Agave or Firedancer validator clients.

5c_validator_pqc_keys 0 / 20

5d_published_milestones 4 / 20

5e_pqc_washing_delta 5 / 20

Moderate — Project Eleven announcements exceed shipped mainnet.

6 Supply Chain Vendor Readiness 8 / 100

6a_wallet 2 / 20

6b_bridge 2 / 20

6c_custodian 2 / 20

Fireblocks announced PQC research only.

6d_rpc_hsm 2 / 20

7 Governance & Coordination 42 / 100

7a_validator_stake_distribution 15 / 20

Nakamoto coefficient 31 — highest among PoS.

Evidence: chainspect.app

7b_upgrade_cadence_under_pressure 10 / 20

Recovered from 2022-2023 outages. Feature gate coordination demonstrated.

7c_named_coordination_lead 10 / 20

Solana Foundation + Anza. No named PQC lead.

7d_adversarial_coordination_precedent 7 / 20

Post-FTX recovery demonstrated. No PQC-specific adversarial coordination.

The X + Y vs Z inequality

X (data shelf life): 5-10 (EOA-like, pubkey=address)

Y (migration time): 10-15

Z10 (10% CRQC year): 2036 · Z50 (50%): 2041

Verdict: X+Y > Z (danger).

Four-scenario grid

Scenario	Value preserved	Privacy preserved
quantum never	100%	100%
arrives suddenly pre migration	5%	10%
arrives slowly post migration	85%	75%
arrives slowly mid migration	40%	40%

Peers in the L1 profile

Order-book view of the 9 chains closest to Solana by QRI.

Public artifacts used for this scorecard

Each entry below is a sub-score citation. Clicking the link takes you to the public source. A third party should be able to reconstruct every number on this page from these URLs in 48 hours.

Cryptographic Exposure · 1a_primitive_inventory

Good inventory from v1. BLS usage in tower BFT named by agent context.

Cryptographic Exposure · 1b_shor_grover_pq_tag

https://www.helius.dev/blog/solana-post-quantum-cryptography

Cryptographic Exposure · 1e_implementation_quality

https://github.com/anza-xyz/agave

HNDL Exposure · 2a_active_key

100% of Solana accounts have Ed25519 pubkey = address. No hash protection. Full TVL quantum-exposed.

https://solana.com/developers/docs/core/accounts

Metadata & Privacy Exposure · 3b_rpc_concentration

Helius, QuickNode, Triton dominate RPC. High concentration.

Public RPC provider data

Migration Architecture · 4a_crypto_agility

Fixed Ed25519 at protocol level. Adding new signature types requires SIMD + validator upgrade.

https://www.quantumcanary.org/insights/is-solana-ever-going-to-become-quantum-secure

Deployment Execution · 5a_mainnet_pqc_pct

Winternitz Vault deployed on mainnet (community, opt-in, hash-based OTS). Usage <0.1% of tx volume.

https://github.com/deanmlittle/solana-winternitz-vault

Governance & Coordination · 7a_validator_stake_distribution

Nakamoto coefficient 31 — highest among PoS.

https://chainspect.app/dashboard/decentralization

Supply chain snapshot

wallet Phantom · Solflare · Backpack 0 PQC roadmaps

bridge Wormhole · deBridge · Portal 0 PQC roadmaps

custodian Coinbase Custody · Fireblocks · BitGo 0 PQC roadmaps

rpc_hsm Helius · QuickNode · Triton 0 PQC roadmaps

A chain's supply chain cannot migrate faster than its slowest dependency. Zero PQC roadmaps in any of the four categories is a structural blocker, not a lagging indicator.

Analyst notes on the scoring

Ed25519 exposure on Solana is structurally worst-case: pubkey=address with no hash wrapper. Post-FTX uptime recovery is the strongest governance signal. Migration stage capped at 2 due to zero published dated milestones with verifiable outcomes.

Scorecard metadata

Profile: L1
Scored: 2026-04-18 by layerqu-v2-scoring-agent-4
v1 reference: chainscreen-v1-archive
QRI raw: 20 · after caps: 20
Confidence interval: ±10
PQC washing ratio: 1.2x
Burn-vs-rescue: undeclared

Caps triggered

Mosca (5a<20% → QRI max 60)
Sutor (5d count=1 but named — Migration Stage max 2)
Casado (4+ tiles pqc=0 → migration_stage max 3)
Hybrid gate FAIL → QRI cap 60