Pre-release notice:
The Quantum Readiness Index is still being reviewed and refined. Reports may include rough edges, including incomplete and/or incorrect coverage.

AI network token

Cronos CRO

Cronos (CRO) is a Cosmos SDK + Ethermint EVM-compatible L1 blockchain with CometBFT consensus. As of 2026-06-02, the project exhibits zero quantum readiness across all five QRI categories. No public cryptographic inventory, quantum risk assessment, PQC roadmap, testnet, prototype, or deployed mitigation exists. All production cryptography is classical and fully quantum-vulnerable: secp256k1 ECDSA for EVM spend authorization and Ed25519 for CometBFT validator consensus signatures. The EVM account model permanently exposes public keys after the first transaction, creating a large and growing long-exposure (at-rest) attack surface for quantum key-recovery attacks. The 2025-2026 Cronos roadmap prioritizes AI agents, tokenization, and scalability with no mention of quantum security. Independent assessment by LayerQu confirms Migration Stage 0 (Unaware-of-deployment-path). The QRI Score of 1/100 reflects near-total absence of quantum-attack readiness, capped by the absence of even a basic public cryptographic inventory.

Quantum-VulnerableClassical-OnlyNo-PQ-RoadmapECC-DependentLong-Exposure-At-Risk
Stage 1
Confidence Medium
Urgency [Migration Required]
Review Status Draft
Evaluated 2026-06-02
Scope Cronos EVM L1 chain (Cosmos SDK + Ethermint + CometBFT); native asset CRO on the EVM chain. Cronos zkEVM L2 and Cronos POS chain are separate networks not evaluated in this scope.
AI-generated report. This report was produced by the evaluator and synthesis pipeline. Review status: draft.

Category breakdown

QRI Factors

Algorithm & Implementation Assurance 0 / 20
Migration Mechanism, Governance & Ecosystem Coordination 0 / 15
Migration Status & Value-at-Risk 1 / 25
Production Cryptographic Protection 0 / 35
Security Assessment & Evidence Preparedness 0 / 5

Critical Quantum Blockers

  • No public cryptographic inventory or quantum threat model published by Cronos Labs or any Cronos-affiliated entity.
  • All production spend authorization uses secp256k1 ECDSA (EVM compatibility via Ethermint) — fully quantum-vulnerable to Shor's algorithm.
  • All consensus validator authentication uses Ed25519 via CometBFT — fully quantum-vulnerable.
  • EVM account model permanently exposes public keys after first transaction, creating a large and growing long-exposure attack surface.
  • No PQC migration roadmap, proposal, testnet, prototype, or public acknowledgment of quantum risk exists anywhere in the Cronos ecosystem.

Key Risks

  • All CRO held in EVM accounts that have sent at least one transaction has permanently exposed secp256k1 public keys, creating a harvest-now-decrypt-later target for future CRQCs.
  • Validator Ed25519 consensus keys are long-exposed on-chain; compromise would allow an attacker to forge consensus votes, potentially enabling double-sign attacks, finality disruption, or validator impersonation.
  • Cronos inherits the full quantum-vulnerability surface of both the Cosmos SDK ecosystem (no PQC support in Cosmos SDK or CometBFT as of mid-2026) and the EVM account model (permanent key exposure), compounding migration complexity.
  • The IBC bridge between Cronos EVM and Cronos POS (and other Cosmos chains) relies on the same classical validator-key security model; a quantum compromise of validator keys could affect cross-chain asset security.
  • Cronos zkEVM (L2) may introduce additional quantum-vulnerable pairing-based commitments (ZK Stack/ZKsync heritage), expanding the ecosystem attack surface beyond the L1 scope evaluated here.
  • With no public quantum acknowledgment from Cronos Labs, the community and institutional users have no visibility into whether any internal preparation is underway, increasing uncertainty for long-horizon asset custody decisions.

Assurance Notes

  • No quantum-specific audit, threat model, or cryptographic inventory has been published by Cronos Labs or any third party for the Cronos base layer.
  • Cronos inherits the cryptographic security model of Cosmos SDK (CometBFT Ed25519 validator signatures) and Ethermint (secp256k1 ECDSA EVM spend authorization). Both are fully quantum-vulnerable.
  • The 2025-2026 Cronos roadmap ('The Golden Age of On-Chain Dominance') focuses on tokenization, AI agents, and institutional adoption with no mention of post-quantum cryptography, quantum risk, or cryptographic migration.
  • The Cronos 2025 Whitepaper references 'security and speed upgrades' and 'resilience' but does not address quantum threats or PQC.
  • No public GitHub issues, proposals, or code references to post-quantum cryptography exist in the crypto-org-chain organization as of the evaluation date.
  • HackenProof bug bounty program exists for Cronos but does not specifically cover quantum threat modeling.
  • LayerQu third-party scorecard (v3.1.0, May 2026) independently classifies Cronos as Migration Stage 0 (Unaware-of-deployment-path) with QRI 20/100, consistent with this assessment's finding of zero PQ activity.

Non-Scoring Caveats

  • Cronos is a Proof-of-Authority chain with a vetted validator set, which reduces the number of exposed consensus keys compared to permissionless PoS but does not eliminate quantum vulnerability.
  • The 2025-2026 roadmap targets $10B in tokenized real-world assets and $20B in CRO via public market rails, significantly increasing the value-at-risk surface without corresponding quantum mitigation.
  • Cronos's EVM compatibility means it inherits the full Ethereum account-model quantum exposure: public keys are permanently exposed on-chain after the first transaction from any account.
  • No evidence of internal or unpublished PQ research by Cronos Labs could be verified from public sources.
  • The absence of a formal quantum-specific incident-response playbook is noted but does not independently reduce the QRI Score under v3.1 rules.

Evidence record

Claims and Caveats

Security Assessment & Evidence Preparedness

Public cryptographic inventory and quantum threat model

Claim: No public cryptographic inventory or quantum threat model exists for Cronos.

Coverage basis: Absence of any such inventory in official docs, whitepaper, GitHub repos, and all searched sources.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical uncertainty · Score treatment: cap-applying

Quantum blocker: No public cryptographic inventory — Readiness & Risk Cap applies at max QRI 10.

Assurance: Evidence of absence is strong: comprehensive search of official docs, GitHub (cronos, chain-main, cronos-docs), whitepaper, and 2025-2026 roadmap blog post reveals zero quantum-related content.

Cronos has not published any cryptographic inventory or quantum threat model. Third-party analysis (LayerQu, this evaluation) can derive the cryptographic surface from public architecture documentation, but no project-authored assessment exists.

Security Assessment & Evidence Preparedness

Public evidence record supporting quantum assessment

Claim: No public evidence record (code references, specs, audits, tx examples, analytics) exists to support a quantum readiness assessment for Cronos.

Coverage basis: Absence of quantum-related evidence artifacts.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: Public code and docs confirm classical cryptography posture but contain no quantum-specific evidence artifacts.

The absence of a quantum evidence record means all quantum-readiness claims (if any were made) would be unverifiable. Currently no such claims exist.

Production Cryptographic Protection

Spend authorization / transaction signatures

Claim: Cronos EVM uses secp256k1 ECDSA for all transaction signatures via Ethermint EVM compatibility.

Coverage basis: Standard EVM secp256k1; confirmed by official docs, whitepaper, and Ethermint architecture.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Active production spend authorization remains entirely ECC-only — Readiness & Risk Cap at max QRI 40.

Assurance: secp256k1 usage is confirmed by Ethermint's ethsecp256k1 proto definitions and standard EVM transaction format.

No PQC or hybrid-PQC transaction path exists. All user funds are secured by quantum-vulnerable ECDSA signatures.

Production Cryptographic Protection

Account/address/public-key exposure and key-derivation design

Claim: Cronos uses standard EVM account model where public keys are exposed on first transaction; no PQ/hybrid controls exist.

Coverage basis: Standard EVM address derivation (keccak256 of pubkey); public keys revealed in transaction signatures.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration path — Readiness & Risk Cap at max QRI 55.

Assurance: EVM account model is the standard Ethereum-compatible pattern; all EOAs that have sent transactions have exposed public keys permanently on-chain.

Long-exposure (at-rest) attack surface is inherent to the EVM account model. Every EOA that has ever sent a transaction has a permanently exposed secp256k1 public key recoverable from the signature.

Production Cryptographic Protection

Consensus-critical authentication

Claim: Cronos uses CometBFT (Tendermint) consensus with Ed25519 validator signatures.

Coverage basis: Standard CometBFT/Tendermint Ed25519 validator key management per official docs and technical glossary.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Consensus finality and validator authentication remain quantum-vulnerable — Readiness & Risk Cap at max QRI 70.

Assurance: Ed25519 usage confirmed by technical glossary specifying priv_validator_key.json and TMKMS integration, consistent with all CometBFT chains.

Validator Ed25519 public keys are long-exposed in on-chain validator sets. A quantum attacker could forge validator signatures to disrupt consensus, double-sign, or censor transactions.

Production Cryptographic Protection

Privacy and proof layers

Claim: Cronos EVM L1 has no native privacy layer or ZK proof system.

Coverage basis: Cronos EVM is a standard transparent EVM chain with no shielded transactions or ZK proof layer at L1.

Implementation score: 0 · Evidence confidence: High

Issue classification: none · Score treatment: not applicable

Cronos zkEVM (L2) may have ZK-related quantum considerations but is out of scope for this L1 evaluation.

Migration Status & Value-at-Risk

Percentage of economically relevant value-at-risk protected

Claim: 0% of CRO value-at-risk is protected from quantum key-recovery attacks.

Coverage basis: No PQC migration or protection deployed; all value secured by classical ECC.

Implementation score: 0.05 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, burn, recovery, or policy path — Readiness & Risk Cap at max QRI 55.

Assurance: Coverage is <25% (effectively 0%), scoring 1 point per QRI 9.3.1 thresholds. No migration mechanism exists to measure coverage against.

Coverage score of 1/20 (implementation_score 0.05) reflects the <25% experimental/negligible-protection band. All CRO value, locked DeFi TVL, bridge assets, and validator stakes are fully quantum-vulnerable with no protection path.

Migration Mechanism, Governance & Ecosystem Coordination

Public migration or protection roadmap

Claim: No public PQC migration or protection roadmap exists for any Cronos chain.

Coverage basis: Absence confirmed by comprehensive search of docs, GitHub, blog, and ecosystem sources.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: The 2025-2026 roadmap is exclusively focused on AI agents, tokenization, scalability, and DeFi. Quantum security is not listed as a priority, milestone, or research area.

Cronos is not PQ-native and has a classical ownership namespace; a migration roadmap would be applicable but none exists.

Algorithm & Implementation Assurance

Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms

Claim: Cronos uses no PQC or hybrid-PQC algorithms in any production or test capacity.

Coverage basis: Absence of any PQC algorithm in code or configuration.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: Source code audit confirms no imports or usage of ML-DSA, SLH-DSA, FN-DSA, ML-KEM, or any other NIST PQC algorithm.

No algorithm selection, evaluation, or experimentation with PQC primitives has been publicly documented.

Report metadata

Generation Details

Network
Cronos EVM Mainnet
QRI spec
draft-v3.1
Audit coverage
absent
Report version
0.2.0
Prompt version
qri-draft-v3.1
Evidence models
x-ai/grok-4.3, google/gemini-3.1-pro-preview
Evaluator models
deepseek/deepseek-v4-pro, qwen/qwen3.7-max
Synthesis model
xiaomi/mimo-v2.5-pro

Project website