What it is. World Chain ties every account to a real verified person through an iris scan, and rewards those verified humans with free transactions, but it has published no plan for keeping that system safe once quantum computers arrive.
What we found. The iris data is kept private from today's snoops, yet some coverage stretches that into calling the whole network quantum-proof, and the actual money-moving math underneath could all be broken by a mature quantum machine.
Why it matters. Because verified users transact so often for free, a huge number of their keys are already exposed, and the chain is leaning on fixes that Ethereum has not shipped yet rather than its own.
OP Stack rollup launched 2024-10-17 by Tools for Humanity / Worldcoin Foundation; Stage 1 fault proofs, single Alchemy-hosted sequencer, 15M+ wallets. Differentiator is Priority Blockspace for Humans (PBH) + World ID Groth16 zk-SNARK proof-of-personhood. Every on-chain primitive (secp256k1, BLS12-381, Groth16) is Shor-vulnerable; AMPC iris-code architecture protects biometric privacy classically but transport layer is classical TLS HNDL-vulnerable. No World Chain-specific PQ position published.
Summary
World Chain is an OP Stack L2 with native World ID integration. Sequencer is a single EOA hosted by Alchemy. PBH integrates Flashbots Rollup-Boost. World ID uses Groth16 zk-SNARKs over BN254/BLS12-381 with Semaphore identity commitments and Poseidon hashing. Architecture inherits Ethereum / OP Stack agility (EIP-7702 inheritable, ERC-4337 mature on World Chain), Dim 4 = 46, but Dim 5 = 13 deployment, producing a 33-point Architecture-Execution Gap that fires the gap cap at QRI ≤ 70 (non-binding below the Mainnet-Traffic cap at 60). Some industry framing characterizes Worldcoin as 'quantum-resistant' via AMPC + ZK; this conflates classical biometric privacy with on-chain quantum-resistance. -2 announcement-to-shipped deduction conservatively applied. Gate 1a-Sig FAIL, Gate 1a-KEM FAIL. World Chain's strongest asymmetric upside is upstream Ethereum / Superchain PQ direction it can inherit. QRI 25 ± 7, Band 3 Planning, Migration Stage 1.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition; account/sequencer pure secp256k1; Ethereum-L1-anchored consensus pure BLS12-381
- Gate 1a, Hybrid KEM: FAIL , sequencer transport classical TLS via Alchemy; AMPC iris-code transport classical TLS; no PQ KEM
- Gate 1b, Commit-to-hash: COND , no OR-composition declared
- Gate 2, Evidence reconstruction: PASS , every sub-score has ≥ 3 evidence sources
- Gate 3, Primitive naming: PASS , secp256k1, BLS12-381, Keccak-256, Groth16, Semaphore, Poseidon, BN254, AMPC
Burn-vs-rescue policy on file
Declared option f, Undeclared. Worldcoin Foundation / Tools for Humanity have not published a position on dormant-balance handling or on consensus / sequencer / World ID stack migration path post-Shor. Implicit posture (rollup-L2 settling to Ethereum) inherits whatever Ethereum / OP Stack publishes upstream.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 29 / 100
Standard Ethereum/OP-Stack primitives plus World-ID-specific primitives (Groth16, Semaphore, Poseidon, AMPC). Sequencer transport: standard TLS via Alchemy (cloud-provider default).
secp256k1 (EVM account signing) · Keccak-256 (block/transaction hashing) · BLS12-381 (Ethereum L1 beacon-chain anchored finality) · OP Stack fault-proof Cannon64 v1.8.0-rc.4 · Groth16 zk-SNARK (World ID protocol) · Semaphore identity commitments · Poseidon (Semaphore Merkle tree, BN254 field) · AMPC iris-code architecture (Hamming-distance uniqueness check, secret-shared) secp256k1→ Shor-break-via-DLBLS12-381→ Shor-break-via-pairingsGroth16 (paired BN254/BLS12-381)→ Shor-break-via-pairingsSemaphore identity commitments (Poseidon over BN254)→ Shor-break-via-DL on underlying curve + Grover-weaken PoseidonKeccak-256→ Grover-weakenIris-code Hamming-distance→ not a cryptographic primitive in Shor sense; HNDL-relevant only via classical AMPC orchestration
Zero PQ families deployed. Pre-cap state.
No primitive maps to NIST PQC categories 1-5. secp256k1 / BLS12-381 / Groth16 binding all ~128-bit classical pre-quantum.
worldcoin/semaphore-rs and worldcoin/signup-sequencer maintained Rust implementations. Reth execution client production-audited. Least Authority Worldcoin Protocol Cryptography Audit Report (2023-07). OP Stack audits via Optimism. No World-Chain-specific formal verification. Groth16 (Tier 3), BLS12-381 (Tier 1-2), secp256k1 (Tier 1), Poseidon (Tier 4).
2 Quantum Recovery Exposure weight 8% 28 / 100
Default accounts use Ethereum-style secp256k1; pubkey recoverable via ECDSA ecrecover. World App users transact frequently (PBH gives free transactions to verified humans), so active-Forge surface is broad relative to user count. Sequencer (single EOA) signs every batch publication to Ethereum L1.
Mainnet launched 2024-10-17; ~19 months. Cold/dormant exposure moderate given 15M+ user base and short history. WLD airdrops continue to mint to many wallets; cumulative cold balances on revealed-pubkey addresses grow over time.
Every historical secp256k1 transaction signature on World Chain since 2024-10-17 forgeable post-Shor. Every Groth16 World ID inclusion proof loses soundness binding post-Shor (pairings broken). Sequencer batch signatures published to Ethereum L1 forgeable on both secp256k1 and BLS12-381.
Sequencer transport classical TLS via Alchemy (X25519/RSA/ECDH cloud-provider default). RPC inherits cloud-provider TLS. AMPC iris-code shares fragmented across third-party nodes (information-theoretic vs passive eavesdroppers); transport channels carrying shares between Orb / nodes / Worldcoin infra are classical TLS, HNDL-vulnerable for captured traffic.
3 Metadata, Anonymity & Confidentiality weight 8% 19 / 100
Pseudonymous transparent ledger. World ID provides separate anonymity for verification action (actions not linked to iris images/codes), not transaction graph. PBH integration links World-ID-priority transactions to a known signal but World ID itself remains zero-knowledge.
Single sequencer (Alchemy-hosted, single EOA per L2BEAT). Top RPC: Alchemy. High concentration. Mempool gossip observable to sequencer. Validator metadata retention undeclared. PBH (Flashbots integration) introduces additional metadata exposure for World-ID-priority transactions.
Part of Optimism Superchain, interoperable with Base, OP Mainnet, Blast. Standard L2-to-L1 canonical bridge to Ethereum. Bridges expose source-to-destination linkability classically.
Shor on BN254/BLS12-381 breaks Groth16 binding; quantum attacker could forge World ID inclusion proofs. Semaphore Merkle tree (Poseidon over BN254) preserved structurally; Groth16 binding to inclusion fails. Retroactive de-anonymization of World ID actions requires both forging proof and matching off-chain action metadata, partial exposure. AMPC shares info-theoretic-secure against passive adversaries; orchestration classical.
No on-chain mixer, no native commit-reveal shuffle, no integrated mixnet at protocol level.
4 Migration Architecture weight 15% 46 / 100
OP Stack inheritance brings Ethereum-derived agility. EIP-7702 live on Ethereum since Pectra (2025-05-07), inheritable into OP Stack L2s. Reth execution client modern and modular. No World Chain-specific crypto-agility specification.
ERC-4337 fully supported (PBH integration leverages Rollup-Boost / Flashbots bundler with ERC-4337 compatibility per Alchemy launch documentation). EIP-7702 inheritable from Ethereum. Mature AA on World Chain. No documented client-layer PQC path.
Mainnet 2024-10-17. Stage 1 rollup with OP Stack fault-proof activation. PBH mainnet launch (2025) integrating Flashbots Rollup-Boost was substantive coordinated upgrade. OP Stack v1.8.0-rc.4 fault-proof program hash. ~19 months operational.
OP Stack shared with Ethereum and Base; if Ethereum / OP Stack delivers PQ hybrid signature support upstream, World Chain inherits. PBH bundler design could in principle accept hybrid-signature transactions if AA wallets deploy them, but no proposal exists.
No stateful hash signature schemes. Default 15/15.
Rollup-based: sequencer aggregates txs, settles to Ethereum L1; Ethereum L1 finality is BFT-aggregation surface (BLS over BLS12-381). No World Chain-specific PQ aggregation path declared. Inherits Ethereum's BFT-aggregation question without separate commitment.
5 Deployment Execution weight 22% 13 / 100
0% of sequencer signing, account signing, batch settlement, or World ID Groth16 proofs runs on a PQC primitive.
Reth (sequencer execution client) and OP Stack contain no merged PQC primitive. semaphore-rs / signup-sequencer use Groth16 over pairing curves; no FRI-based or PQ proof-system code.
Single sequencer (Alchemy-hosted EOA); 0 PQC consensus keys.
VOIDED to 0 per v3.1 rule (5a = 0). World Chain decentralization roadmap published but contains no PQ-specific milestone. Optimism Superchain referenced 'Post-Quantum Security Roadmap' in industry coverage but a primary-source URL with World-Chain-binding milestones not centralized at evaluation date, under strict v3.1 zero-hallucination discipline, milestone not credited.
Industry commentary characterizes Worldcoin/World Chain as 'quantum-resistant identity protocol' on basis of AMPC + ZK / fragmented biometric storage. AMPC + ZK protect iris-code privacy classically but on-chain stack is fully Shor-vulnerable. Conservative -2 deduction for framing gap (not at >1.5 ratio cap).
Undisclosed.
6 Supply Chain Vendor Readiness weight 25% 20 / 100
World App (official Worldcoin wallet) dominant; EVM-compatible wallets (MetaMask, Rabby, WalletConnect) supported. None has published a World-Chain-specific PQC roadmap.
Standard L2-to-L1 canonical bridge to Ethereum. Superchain interoperability with Base and other OP Stack chains. External bridges (LayerZero, Wormhole, Axelar) where supported. No bridge has published World-Chain-specific PQC roadmap.
WLD has top-tier exchange and custody coverage (Coinbase Custody, BitGo, Anchorage, Fireblocks). No published World-Chain-specific PQC migration timetable from any custodian.
RPC: Alchemy dominant (sequencer-host); third-party providers (Thirdweb, public Alchemy endpoints). HSMs: standard cloud-provider HSM via Alchemy. TEEs: AMPC layer for iris-code processing relies on third-party node fragmentation; specific TEE attestation chains not published as part of consensus path. No PQC roadmap on any infra tile. Higher partial credit reflects mature L2-grade infrastructure (Alchemy 99.999% availability).
7 Governance & Coordination weight 10% 32 / 100
Single sequencer (Alchemy-hosted EOA). Single point of failure for liveness; censorship resistance via 12-hour L1 force-transaction window. Stage 1 rollup means proven fault-proof system but centralized sequencing. Decentralized sequencing on roadmap, not delivered at evaluation date.
Mainnet 2024-10-17, Stage 1 rollup, PBH mainnet launch (2025), OP Stack v1.8.0 fault-proof updates. Multiple coordinated upgrades on schedule. Inherits Optimism Superchain upgrade cadence. Short operational history (~19 months).
Tools for Humanity (US/Germany dev organization, Alex Blania CEO) and Worldcoin Foundation (Cayman non-profit). Public chain-leadership: Alex Blania, Sam Altman (co-founders). No named PQ migration WG or PQ-lead role for World Chain specifically. OP Stack governance via Optimism Foundation / Optimism Collective.
No major adversarial-pressure coordination event for World Chain specifically. Worldcoin protocol has faced regulatory pressure in multiple jurisdictions over biometric data, but these are protocol-level. No exploit-driven hard fork on World Chain.
No published rate-limit canary, no cryptographic tripwire, no Hourglass-equivalent mechanism, no community honeypot.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
X+Y reaches 2034–2041, Crisis Zone (vs Z10 2030); partial Outside risk window (vs Z25 2035)
Z-compliance
Outside compliance window, secp256k1, BLS12-381, Groth16 non-compliant under NIST 2030/2035; biometric-data quantum-readiness derivative pressure under EU GDPR / UK ICO
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
Industry coverage characterizing Worldcoin/World Chain as 'quantum-resistant' via AMPC + ZK conflates: (a) classical multi-party-secure storage of iris codes (defensible against passive classical adversaries) with (b) quantum-resistance of the on-chain cryptographic stack (which is fully Shor-vulnerable). LayerQu separates the two.
Delta-QRI under alternative weighting
Under alternative weighting that gives credit for AMPC's information-theoretic biometric-data secrecy in 2d, World Chain QRI rises ~+1-2 to 26-27. Under stricter reading (AMPC orchestration as classical-TLS-bound and HNDL-vulnerable), QRI stays at 25.
Announcement-to-shipped ratio
Announced: 1. Shipped: 0.
Tag: deduction conservatively applied (-2 at 5e). Industry framing of 'quantum-resistant identity protocol' via AMPC + ZK exceeds shipped substance; not at >1.5 ratio cap but flagged.
Peers in the rollup-L2 profile
9 chains closest to World Chain by Stage then QRI.