Beyond Bitcoin and Ethereum: Quantum Vulnerabilities Across the Blockchain Ecosystem

Introduction

The previous articles in this series focused on Bitcoin, Ethereum, and the Lightning Network because they dominate the cryptocurrency landscape by market capitalization, economic activity, and institutional adoption. But the quantum threat extends across the entire blockchain ecosystem, and the response to it varies enormously. Some chains have been post-quantum since inception. Others are deploying PQC in production today. Many have no plan at all. A few face vulnerabilities that Bitcoin and Ethereum do not: retroactive deanonymization of years of confidential transactions, on-setup attacks that create permanent classical exploits, and cross-chain contagion through stablecoin and tokenization infrastructure.

This article surveys the landscape. The goal is not encyclopedic coverage of every chain but an analytically useful map of where the quantum readiness spectrum stands in mid-2026, which chains are leading, which are lagging, and which face unique risks that the Bitcoin and Ethereum analysis does not capture.

Privacy Chains: The Retroactive Deanonymization Threat

Privacy-focused blockchains face a quantum threat that other chains do not: the destruction of confidentiality for transactions that have already occurred. A quantum computer does not just enable future theft. It enables retroactive surveillance. For chains whose entire value proposition rests on financial privacy, this is an existential vulnerability.

Zcash

Zcash has evolved through three generations of shielded transaction protocols, each with a distinct quantum risk profile.

Sprout (launched 2016, phased out 2020) used the BCTV14 proof system and relied on a trusted setup ceremony. The “toxic waste” from that ceremony could be recovered by a CRQC to forge proofs and stealthily inflate the monetary supply within the Sprout pool, an on-setup attack of the type described in the Google paper.

Sapling (launched 2018) improved performance by adopting the Groth16 protocol on the BLS12-381 curve, but inherited the same on-setup vulnerability through its own trusted setup ceremony. The toxic waste from the Sapling ceremony could be recovered by a quantum computer, creating a permanent classical exploit for undetected supply inflation in the Sapling pool. The Google paper estimates that Shor’s algorithm on BLS12-381 requires a “somewhat larger CRQC” than secp256k1 but characterizes the additional cost as “modest.”

Orchard (launched 2022) eliminated the trusted setup entirely by adopting the Halo 2 proving system, which uses recursive proof composition on the Pallas/Vesta (“Pasta”) elliptic curves. This removed the on-setup inflation vulnerability. But Orchard is not quantum-safe. The Halo 2 proofs and note encryption still rely on elliptic curve assumptions. If discrete logarithms on the Pasta curves become tractable, both proof soundness and note confidentiality could be compromised.

The most immediate quantum risk for Zcash is privacy, not theft. Zcash’s diversified addresses are linked to incoming viewing keys that are solutions to the ECDLP on the relevant curve. A quantum attacker who recovers an incoming viewing key can defeat the unlinkability of diversified addresses and decrypt encrypted notes, revealing transaction amounts and memo fields. Years of historical confidential transactions could be retroactively deanonymized for known addresses. This privacy degradation cannot be undone: once a transaction is decrypted, the information is out.

Zcash’s response has been aggressive. At Consensus Miami on May 8, 2026, ZODL CEO Josh Swihart announced that quantum-recoverable wallets will ship by June 2026, with full post-quantum security targeted within 12-18 months through Project Tachyon. This should be understood as an ecosystem leadership target, not a finalized protocol commitment; the engineering complexity of replacing ECDLP-based primitives across the full Zcash stack is substantial. Tachyon eliminates in-band secret distribution (closing the harvest-now-decrypt-later channel for shielded transactions) and replaces ECDLP-based primitives with quantum-resistant alternatives. Shielded pool adoption has already reached 30% of circulating ZEC, an all-time high. If Zcash delivers on this timeline, it would become one of the first major privacy-focused blockchains with full post-quantum protection.

Zcash also benefits from its Turnstile mechanism, which tracks total monetary supply within each shielded pool. This provides a last line of defense against undetected supply inflation attacks on the legacy Sprout and Sapling pools.

Monero

Monero uses ring signatures, stealth addresses, and RingCT (Pedersen commitments combined with range proofs) to provide transaction privacy. Several of these primitives are quantum-vulnerable.

Pedersen commitments protect transaction amounts through a “hiding” property (amounts are concealed) and a “binding” property (amounts cannot be altered). A quantum computer breaks the binding property, enabling an attacker to create counterfeit coins without detection. Monero also uses ECDH key exchange for stealth address derivation. A quantum attacker who breaks ECDH can de-anonymize stealth addresses and trace payment flows.

Luke Parker, a prominent Monero developer, called for a moratorium on research and development of quantum-vulnerable protocols within the Monero ecosystem and proposed a five-year timeline for post-quantum migration. The call received mixed reception. As of mid-2026, Monero has no deployed PQC and no formal migration roadmap, though research into lattice-based replacements for ring signatures is active.

The retroactive privacy risk applies to Monero as well. An attacker with a CRQC could potentially trace years of historical Monero transactions by breaking the ECDH key exchanges embedded in stealth address derivations. Unlike forward-looking migration, which can protect future transactions, retroactive deanonymization cannot be remediated.

Litecoin Mimblewimble

Litecoin’s Mimblewimble sidechain, activated in 2022, uses Pedersen commitments and ECDH key exchange to provide private transactions. The Google paper identifies a specific on-setup vulnerability: the two elliptic curve points used in the Pedersen commitments are fixed public parameters. An adversary with a CRQC can solve the ECDLP once to recover the relationship between these points, manufacturing a permanent classical exploit for undetected inflation attacks without further quantum access.

The Litecoin community evaluated zkSTARKs as a quantum-resistant alternative but rejected them due to cost. Instead, they implemented a mechanism to switch from Pedersen commitments to ElGamal commitments. Before the switch, a quantum adversary can steal and create coins (binding broken) but cannot learn amounts (hiding intact, though ECDH vulnerability exposes blinding factors indirectly). After the switch, a quantum adversary can learn amounts (hiding broken) but cannot steal or create coins (binding intact). The community chose to sacrifice privacy protection rather than monetary integrity.

Post-Quantum Blockchains: Proof of Feasibility

A small but growing set of blockchains have deployed post-quantum cryptography in production. Their existence answers the most common objection to PQC migration: that it cannot be done without breaking everything.

Quantum Resistant Ledger (QRL)

The Quantum Resistant Ledger launched in June 2018 as the first blockchain built entirely on post-quantum cryptography. Its original design uses XMSS (eXtended Merkle Signature Scheme), a stateful hash-based signature scheme standardized by NIST as SP 800-208. QRL is adding support for ML-DSA (formerly CRYSTALS-Dilithium) and its development roadmap includes EVM-compatible smart contracts.

QRL’s significance is not its market capitalization (small) but its existence proof. It demonstrates that a blockchain can operate for years using post-quantum signatures without fundamental usability problems. The XMSS signatures are larger than ECDSA (2,692 bytes at the security parameters QRL uses), validating the concern about state bloat, but the network functions.

Abelian

Abelian is a lattice-based post-quantum privacy blockchain that combines PQC with confidential transaction features. Its QDay L2 network provides EVM-compatible smart contracts on top of a quantum-resistant base layer. The existence of an EVM-compatible PQ chain is strategically significant: it creates a potential migration target for Ethereum-based applications and stablecoin issuers looking to diversify their hosting infrastructure against quantum risk.

Mochimo

Mochimo uses a variant of hash-based Winternitz One-Time Signatures (WOTS) and has been quantum-resistant since its launch. Like QRL, its primary contribution is demonstrating that PQ blockchain operation is technically viable.

PQC Pioneers: Incremental Adoption on Vulnerable Chains

Between the fully post-quantum blockchains and the chains with no quantum plan at all sits a middle group: major platforms that have begun deploying PQC incrementally, usually for infrastructure or opt-in use cases, without yet migrating their core transaction signing.

Algorand

Algorand activated Falcon-signed State Proofs on mainnet in September 2022. Every 256 blocks, the chain cryptographically signs its history using one of NIST’s approved lattice-based algorithms. Performance held steady: blocks finalize in about 3.3 seconds at up to 6,000 transactions per second.

In November 2025, Algorand executed what it described as the first post-quantum transaction on mainnet using Falcon signatures. The 2026 roadmap includes native Falcon verification at the consensus layer and an on-chain vote to toggle “quantum-safe accounts” without a hard fork.

The important caveat: Algorand’s core account signing still uses quantum-vulnerable Ed25519. A quantum attacker targeting Algorand user funds would bypass the Falcon-protected State Proof layer entirely and attack the Ed25519 keys directly. Algorand’s research team has published papers exploring full transaction-level PQC migration using lattice-based replacements for Ed25519, but no governance proposal for that migration has been submitted. Algorand is post-quantum at the infrastructure layer; it is not yet post-quantum at the fund-security layer.

Solana

Solana’s quantum readiness accelerated markedly in early 2026. The network’s two core development teams, Anza and Firedancer, independently selected Falcon as their preferred post-quantum signature scheme. Both have published initial implementations on GitHub. A formal post-quantum readiness statement from the Solana Foundation confirms a migration roadmap ready for activation when the threat demands it.

The Winternitz Vault, developed by Blueshift and cited by Google Quantum AI as a notable example of proactive blockchain defense, has been running live on Solana for over two years. It provides quantum-resistant key rotation for opt-in users, though adoption remains limited (fewer than 300 accounts on mainnet-beta as of April 2026).

Solana’s core transaction signing still uses quantum-vulnerable Ed25519. A full migration to Falcon or ML-DSA would touch every wallet, every program invocation, and every validator’s signature verification pipeline. The foundation has indicated this migration is feasible and the research is complete, but no timeline for activation has been set.

XRP Ledger

The XRP Ledger deployed ML-DSA (CRYSTALS-Dilithium) signatures on its AlphaNet test network in early 2026. The XRP Ledger supports native, protocol-level key rotation, which gives it a structural advantage over chains like Ethereum where legacy accounts cannot rotate keys without abandoning the account.

The XRP Ledger’s growing role in RWA tokenization (it holds about two-thirds of all TBILL tokens backed by U.S. Treasury bills) makes its PQC migration timeline significant for the broader tokenized asset ecosystem.

TRON

TRON founder Justin Sun announced plans to activate a quantum-resistant network on TRON’s mainnet in Q3 2026, positioning TRON as what he called the “world’s first quantum-resistant network.” The claim requires verification against delivery; TRON’s history of announcements outpacing implementation warrants caution. TRON supports protocol-level key rotation, which facilitates PQC migration if the core signing algorithms are upgraded.

Starknet

Starknet occupies a unique position: its core proof system (STARKs) is already quantum-resistant because it relies on hash functions rather than elliptic curves. This makes Starknet one of the few L2 platforms whose validity proofs would survive a quantum attack on the underlying elliptic curve cryptography. The S2morrow project has deployed a Falcon-512 lattice-based post-quantum wallet directly on Starknet, allowing users to migrate at their own pace.

Stablecoins, RWA Tokenization, and Cross-Chain Contagion

The fastest-growing segment of the blockchain economy, and arguably the most systemically important, is also among the most exposed.

Stablecoins like Tether (USDT) and USD Coin (USDC) exist as smart contracts on host blockchains, primarily Ethereum. They inherit the quantum vulnerabilities of their host chains. The admin keys controlling these contracts (with the power to mint, burn, freeze accounts, and upgrade contract logic) are exposed on-chain as described in the Ethereum admin vulnerability analysis. A quantum attacker who compromises the admin keys could mint unbacked tokens at will, collapsing the peg between the digital token and the fiat reserves backing it.

Tokenized real-world assets, projected to exceed $16 trillion by 2030, compound this risk. Bonds, equities, commodities, and real estate represented as tokens on quantum-vulnerable chains create a bridge between traditional finance and quantum exposure. The admin takeover of a tokenized treasury bill contract would sever the legal link between the token holder and the underlying asset.

The multi-chain nature of major stablecoins creates both vulnerability and opportunity. USDT and USDC are deployed across Ethereum, Solana, Algorand, TRON, and other chains. They inherit quantum weaknesses from each host and inherit quantum vulnerabilities from interoperability mechanisms like cross-chain bridges and the Interblockchain Communication Protocol. But their multi-chain presence also means that stablecoin issuers can migrate away from quantum-vulnerable hosts.

There is precedent: in February 2024, Circle announced it would cease minting new USDC on the TRON blockchain, allowing users one year to transfer to other chains. The withdrawal demonstrated that a major stablecoin issuer can exit a host blockchain when the risk calculus changes. As post-quantum chains mature, stablecoin issuers seeking the strongest security guarantees have an expanding set of quantum-safe options. USDC is already available on Algorand, which supports Falcon signatures. The emergence of EVM-compatible PQ chains (Abelian’s QDay L2, QRL’s roadmap, Starknet with its STARK-based proof system) could accelerate this competitive pressure.

A Risk Taxonomy for the Ecosystem

The Google whitepaper proposes a four-category taxonomy that usefully maps the diversity of quantum risk profiles across the ecosystem:

Category 1: Post-quantum native. Blockchains where all cryptographic primitives are quantum-resistant from inception or have completed full migration. QRL, Abelian, and Mochimo fall here today. Zcash is targeting this category by 2027 via Project Tachyon.

Category 2: UTXO-based with ephemeral key protection possible. Blockchains where users can avoid long-term public key exposure through address hygiene. Bitcoin, Litecoin, Dogecoin, and Cardano fall here. Individual users can protect themselves from at-rest attacks (though not on-spend attacks) by avoiding address reuse and P2TR. Systemic risks remain through consensus mechanisms (Cardano’s PoS staking and voting keys are exposed) and through the long tail of address reuse.

Category 3: Account-model with unavoidable key exposure. Blockchains where the account model permanently exposes public keys after the first transaction, with limited or no key rotation. Ethereum (for legacy EOAs), Solana, Rootstock, and (historically) TRON fall here. Active public keys are easier for quantum attackers to find compared to UTXO-based chains. Smart contract ecosystems compound the risk through admin keys, bridges, oracles, and governance. Modern Ethereum (via Account Abstraction), Algorand, TRON, and XRP Ledger support key rotation, which mitigates but does not eliminate the exposure.

Category 4: Privacy-preserving with retroactive deanonymization risk. Zcash, Monero, and Litecoin’s Mimblewimble sidechain. These chains face all the forward-looking threats of Categories 2 and 3, plus the unique backward-looking threat: a quantum computer could retroactively decrypt years of historical confidential transactions, destroying the privacy guarantees that are the chains’ reason for existence. This damage cannot be undone through migration. PQC protects future transactions; it does not retroactively re-encrypt the past.

What the Leaders Are Doing That the Laggards Are Not

Several patterns distinguish the blockchains that are making genuine progress on quantum readiness from those that are not.

Institutional coordination. Ethereum’s Foundation-funded PQ team, Zcash’s ZODL-led Tachyon roadmap, Solana’s aligned Anza/Firedancer efforts, and Algorand’s Foundation-supported State Proofs all share a common structural feature: dedicated teams with funded mandates, concrete milestones, and accountability for delivery. Bitcoin’s fragmented, unfunded response contrasts sharply.

Incremental deployment. Algorand’s State Proofs (2022) and Solana’s Winternitz Vault (2024) demonstrate that PQ features can be deployed incrementally, in production, without disrupting existing operations. The “big bang” migration, where everything changes at once, is not the only model. Incremental deployment builds confidence, surfaces implementation bugs, and creates institutional knowledge before the full migration.

Honest scope assessment. The most credible projects distinguish clearly between what their PQ deployments actually protect and what remains vulnerable. Algorand’s State Proofs protect cross-chain verification but not user funds. Solana’s Winternitz Vault protects opt-in accounts but not the network’s core Ed25519 signing. Zcash’s roadmap separates quantum-recoverable wallets (immediate user protection) from full protocol migration (12-18 months). This precision builds trust. Claims of being “quantum-proof” that do not specify what is and is not protected should be treated with skepticism.

Algorithm convergence. Falcon (FN-DSA) is emerging as the preferred signature algorithm across multiple chains: Algorand’s State Proofs, Solana’s Anza/Firedancer alignment, Starknet’s S2morrow wallet. This convergence is driven by Falcon’s compact signatures (roughly one-third the size of ML-DSA-44), which are particularly valuable for high-throughput chains where signature size directly impacts transaction costs and network bandwidth. The convergence also simplifies interoperability and cross-chain verification if multiple chains adopt the same PQ primitive.

The Competitive Dynamic

The quantum migration is not just a security exercise. It is becoming a competitive differentiator.

A blockchain that achieves quantum safety while its competitors remain vulnerable gains a security moat. Institutional custody providers evaluating hosting platforms will factor quantum readiness into their assessments. Stablecoin issuers will prefer quantum-safe hosts. RWA tokenization platforms building 30-year financial instruments need cryptographic security that lasts 30 years. Insurance underwriters pricing custody risk will offer better terms for quantum-resistant infrastructure.

Zcash’s 110% price rally following its PQ roadmap announcement suggests the market is beginning to price this differentiation. Whether that price signal is durable or speculative remains to be seen, but the directional message is clear: the market values quantum readiness.

For Bitcoin, the competitive pressure is double-edged. Bitcoin’s conservatism and resistance to protocol changes is its greatest strength for censorship resistance and monetary policy credibility. But if Bitcoin becomes the last major blockchain to address quantum risk, it risks losing institutional capital to chains that have already migrated, not because the threat has materialized, but because the deadlines are set and institutions must manage risk against those deadlines.

The final article in this series translates this ecosystem survey into specific action items for protocol developers, exchanges, institutional investors, and individual holders.