Pre-release notice:
The Quantum Readiness Index is still being reviewed and refined. Reports may include rough edges, including incomplete and/or incorrect coverage.

blockchain network

Flare FLR

Flare is an EVM-compatible PoS L1 network using Avalanche's Snowman++ consensus. The production network relies entirely on classical cryptography (secp256k1 ECDSA for accounts/transactions and likely BLS for validators). While Flare Research published a 2022 whitepaper proposing a hybrid ECDSA + CRYSTALS-Dilithium signature scheme for the EVM, this remains a theoretical design with no evidence of testnet or mainnet implementation. All quantum-critical layers, including spend authorization, consensus authentication, and cross-chain interoperability protocols (FTSO, State Connector, FAssets), remain vulnerable to quantum attacks. The project qualifies for Stage 2 due to the existence of a public mitigation design, but scores low due to the complete absence of production protection or migration tooling.

Roadmap Only
Product website CoinGecko
Stage 2
Confidence Medium
Urgency [Migration Required]
Review Status Draft
Evaluated 2026-06-05
Scope Native asset (FLR), base layer, consensus, interoperability (FTSO, State Connector, FAssets)
AI-generated report. This report was produced by the evaluator and synthesis pipeline. Review status: draft.

Category breakdown

QRI Factors

Algorithm & Implementation Assurance 1.75 / 20
Migration Mechanism, Governance & Ecosystem Coordination 0.75 / 15
Migration Status & Value-at-Risk 0 / 25
Production Cryptographic Protection 0 / 35
Security Assessment & Evidence Preparedness 5 / 5

Critical Quantum Blockers

  • Active production spend authorization remains entirely ECC-only (secp256k1 ECDSA).
  • Consensus-critical authentication (Snowman++ PoS) relies on classical signatures.
  • Material long-exposure quantum-vulnerable value exists in transacted EOAs with no migration, freeze, or deprecation path.
  • FTSO, State Connector, and FAssets bridge verification rely on classical cryptography.

Key Risks

  • Shor's algorithm could recover private keys from exposed secp256k1 public keys on-chain, enabling theft of native FLR and ERC-20 assets from transacted EOAs.
  • Quantum adversaries could forge validator signatures or manipulate Snowman++ consensus sampling, compromising network finality.
  • FTSO and State Connector attestations rely on classical signatures; a quantum attacker could forge oracle data or cross-chain state proofs, compromising dependent DeFi applications and bridged assets.
  • LayerZero integration exposes cross-chain messaging to classical signature forgery.

Assurance Notes

  • Recent Zellic audits (2025-2026) are scoped to application-layer smart contracts (FAsset Redeem Composer, Smart Accounts) and do not cover base-layer ECC, BLS, or consensus cryptography.
  • The 2022 hybrid post-quantum signature research paper remains a theoretical design with no public testnet, prototype, or mainnet deployment evidence.
  • Core interoperability protocols (FTSO, State Connector, FAssets) and LayerZero integrations rely entirely on classical cryptographic assumptions, exposing bridged assets and oracle data to quantum forgery.

Non-Scoring Caveats

  • Flare Research published a 2022 whitepaper proposing a hybrid ECDSA + CRYSTALS-Dilithium Level 2 signature scheme for the EVM, demonstrating early awareness of the quantum threat, but this has not progressed to prototype or testnet stages.
  • Standard EVM address model exposes public keys on-chain for all transacted accounts, creating long-exposure attack windows.

Evidence record

Claims and Caveats

Security Assessment

Public cryptographic inventory and threat model

Claim: Flare Research published a 2022 whitepaper detailing the quantum threat to EVM's ECDSA and proposing a hybrid Dilithium scheme.

Coverage basis: Research paper / design proposal

Implementation score: 1 · Evidence confidence: High

Issue classification: none · Score treatment: not applicable

Assurance: The whitepaper demonstrates clear awareness of the quantum threat and inventories the vulnerable EVM primitives.

This is a research proposal, not a live implementation.

Production Cryptographic Protection

Spend authorization / transaction signatures

Claim: Flare Mainnet uses standard EVM ECDSA (secp256k1) for transaction signatures.

Coverage basis: Classical ECC only

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Active production spend authorization remains entirely ECC-only (secp256k1 ECDSA).

Assurance: Standard EVM behavior confirmed by official documentation and block explorer.

No PQ or hybrid transaction types are supported on mainnet.

Production Cryptographic Protection

Account, address, public-key exposure

Claim: Standard EVM 0x addresses expose public keys on-chain for transacted EOAs.

Coverage basis: Classical ECC only

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Material long-exposure quantum-vulnerable value exists in transacted EOAs with no migration, freeze, or deprecation path.

Assurance: Typical EVM behavior; public keys are derivable from transaction signatures.

Creates long-exposure attack windows for all reused or transacted addresses.

Production Cryptographic Protection

Consensus-critical authentication

Claim: Snowman++ PoS consensus relies on classical signatures for validator sampling and block finalization.

Coverage basis: Classical signatures (BLS/ECDSA)

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Consensus-critical authentication (Snowman++ PoS) relies on classical signatures.

Assurance: Avalanche-derived consensus uses classical stake-weighted sampling and signatures.

No PQ integration in the consensus layer.

Production Cryptographic Protection

State-integrity and data-availability

Claim: FTSO, State Connector, and FAssets rely on classical cryptography for off-chain data and cross-chain state verification.

Coverage basis: Classical signatures

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: FTSO, State Connector, and FAssets bridge verification rely on classical cryptography.

Assurance: Oracle and bridge attestations are vulnerable to quantum forgery.

Compromises dependent DeFi applications and bridged assets.

Production Cryptographic Protection

Privacy and proof layers

Claim: Flare has no native privacy layer or ZK proof system for state shielding.

Coverage basis: N/A

Implementation score: 0 · Evidence confidence: High

Issue classification: none · Score treatment: not applicable

Migration Status & Value-at-Risk

Percentage of value-at-risk protected

Claim: 0% of native FLR or bridged assets are protected by PQ cryptography.

Coverage basis: No PQ implementation

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: cap-applying

Quantum blocker: Active production spend authorization remains entirely ECC-only.

Assurance: No migration has occurred.

All native and bridged value remains exposed.

Migration Mechanism, Governance & Ecosystem Coordination

Public migration or protection roadmap

Claim: 2022 research paper proposes a hybrid signature design but lacks a production migration roadmap, sequencing, or activation criteria.

Coverage basis: Research proposal only

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: The paper is a design document, not an actionable migration plan.

No timeline or governance mechanism for PQ upgrade has been published.

Algorithm & Implementation Assurance

Uses NIST-standardized PQC algorithms

Claim: The 2022 research proposal specifies CRYSTALS-Dilithium Level 2 (NIST standard), but it is not implemented.

Coverage basis: Design proposal only

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: none · Score treatment: score-reducing

Assurance: Dilithium is a NIST-standardized algorithm, but remains theoretical for Flare.

Algorithm & Implementation Assurance

Independent audit

Claim: Recent Zellic audits cover smart contracts, not core protocol or cryptographic primitives.

Coverage basis: Scope-mismatched audits

Implementation score: 0 · Evidence confidence: High

Issue classification: assurance-only caveat · Score treatment: confidence-only

Assurance: Audits are fresh but limited to application-layer smart contracts.

No quantum-critical or base-layer crypto audits exist.

Algorithm & Implementation Assurance

Performance and resource-impact analysis

Claim: The 2022 whitepaper includes performance comparisons between ECDSA and Dilithium.

Coverage basis: Research paper analysis

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: none · Score treatment: score-reducing

Assurance: Theoretical performance analysis exists in the research paper.

No mainnet or testnet performance data available.

Report metadata

Generation Details

Network
Flare Mainnet
QRI spec
draft-v3.1
Audit coverage
scope-mismatched
Report version
0.2.0
Prompt version
qri-draft-v3.1
Evidence models
x-ai/grok-4.3, google/gemini-3.1-pro-preview
Evaluator models
deepseek/deepseek-v4-pro, qwen/qwen3.7-max
Synthesis model
xiaomi/mimo-v2.5-pro