exchange token
Gate GT
GateChain (GT) is an EVM-compatible Layer-1 PoS blockchain operated by Gate.io. Despite 2020 marketing claims that its '40-16-byte hash string' address format provides 'post-quantum attack prevention,' the chain's production cryptography is entirely classical: Ed25519 for native account spend authorization and consensus VRF, and secp256k1/ECDSA for the EVM module. Both are vulnerable to Shor's algorithm. No PQC or hybrid-PQC algorithms exist in the public codebase (github.com/gatechain/crypto), no quantum migration roadmap has been published, and GateChain is conspicuously absent from Gate.io's own May 2026 analysis of quantum-resistant chain roadmaps. The 'post-quantum' address claim appears to reference only a longer hash-based address format, which at best delays public key exposure until first spend (identical to Bitcoin P2PKH) and provides no protection once a transaction is signed. All native GT, ERC-20 GT, and Gate Layer GT remain fully quantum-vulnerable across all attack windows with no migration, freeze, deprecation, or recovery path. The QRI Score of 1 reflects zero meaningful quantum protection, zero migration progress, and unsubstantiated public claims about quantum resistance.
Not Assessed
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0 / 15
Migration Status & Value-at-Risk
1 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0 / 5
Critical Quantum Blockers
- Active production spend authorization remains entirely classical (Ed25519 for native GateChain accounts, secp256k1 for EVM accounts) with no PQC or hybrid-PQC path — Readiness & Risk Cap: 40
- Project's public 'post-quantum' address format claim is an unsubstantiated marketing statement; the underlying signature schemes remain fully vulnerable to Shor's algorithm — Readiness & Risk Cap: 5
- No public cryptographic inventory or evidence-backed quantum risk assessment has been published by the project — Readiness & Risk Cap: 10
- Consensus authentication (VRF with Ed25519 public-key verification) is quantum-vulnerable, creating a path to consensus compromise or validator impersonation by a quantum adversary
- Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, or recovery path — all circulating GT (~106M) is quantum-vulnerable
- Two-way on-chain bridges to Ethereum and Gate Layer allow GT value to flow into similarly quantum-vulnerable systems with no quantum-safe restrictions
Key Risks
- All GT spend authorization (native Ed25519 and EVM secp256k1) is vulnerable to quantum key-recovery via Shor's algorithm, enabling potential theft of any holdings whose public keys are exposed on-chain.
- Consensus authentication (VRF with classical public key verification, Ed25519 validator signatures) is quantum-vulnerable, creating a path to consensus compromise or validator impersonation by a quantum adversary.
- Long-exposure public keys from previously transacted native accounts and EVM EOAs are permanently vulnerable to offline quantum attack with no migration or deprecation mechanism.
- Cross-chain bridge infrastructure connecting Ethereum GT, GateChain native GT, GateChain EVM GT, and Gate Layer GT uses undocumented signer sets that likely rely on classical cryptography.
- Misleading 'post-quantum' marketing claims may give users and custodians a false sense of security, delaying necessary migration planning.
- No quantum-specific incident response, emergency governance, or disclosure process exists for the event of a quantum-enabled attack.
Assurance Notes
- No independent cryptographic audit of GateChain's protocol-level signature schemes, consensus authentication, or key management has been identified. The only located audit (Hacken, Jan 2024) covers Gate.io Proof-of-Reserves code and is scope-mismatched for quantum-critical blockchain protocol evaluation.
- GateChain's 2020 marketing claims that its '40-16-byte hash string' address format provides 'post-quantum attack prevention' are not supported by any technical specification, cryptographic review, or evidence that the underlying signature algorithms (Ed25519 for native accounts, secp256k1 for EVM accounts) have been replaced or augmented with PQC.
- The GateChain crypto GitHub repository (github.com/gatechain/crypto) contains only classical algorithms: BIP32-ed25519 and VRF. No PQC or hybrid-PQC code is present.
- GateChain is not mentioned in Gate.io's own May 2026 blog post analyzing quantum-resistant roadmaps of ETH, SOL, BNB, NEAR, and TRON, suggesting no internal quantum migration plan exists for the chain itself.
- Vault Account feature (revocable transactions with time delays) provides classical security benefits but does not constitute quantum protection, as the underlying authorization remains Ed25519/secp256k1 and a quantum attacker who recovers the private key could manipulate vault operations.
Non-Scoring Caveats
- GT exists in four forms (Ethereum ERC-20, GateChain native, GateChain EVM-format, Gate Layer) connected by on-chain cross-chain bridges. Bridge signer sets and verification mechanisms are not publicly documented for quantum-critical evaluation.
- Vault Account feature provides time-delay revocability but does not mitigate quantum key-recovery attacks on the underlying classical signatures.
- GateChain mainnet upgrades v17–v20 (2025) focused on consensus efficiency and gas optimization; no quantum-related upgrades were included.
- Approximately 60% of initial GT supply has been burned, reducing total value-at-risk but not changing the quantum-vulnerability of remaining holdings.
- The GateChain crypto library (github.com/gatechain/crypto) is open-source but has not undergone published third-party review. The classical implementation appears functional but lacks independent audit.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory of critical public-key mechanisms and public quantum threat model
Claim: GateChain has not published a formal cryptographic inventory or quantum threat model.
Coverage basis: No public document systematically catalogs critical public-key mechanisms or analyzes quantum attack assumptions.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No public cryptographic inventory or quantum threat model exists — Readiness & Risk Cap: 10
Assurance: Cryptographic mechanisms can be inferred from code and docs (Ed25519, Secp256k1, VRF) but no consolidated assessment exists.
The 2020 genesis launch announcement mentioned quantum attacks but this was marketing language, not a formal risk assessment.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: No evidence record or reproducible analytics support a quantum risk assessment.
Coverage basis: No code references, specs, audits, transaction examples, or analytics have been published in service of quantum risk assessment.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Absence of evidence for an assessment is confirmed by exhaustive search of GateChain docs, GitHub, and announcements.
No quantum-specific evidence record has been published.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: Native accounts use Ed25519 signatures; EVM accounts use Secp256k1 (ECDSA). Both are classical and quantum-vulnerable.
Coverage basis: API documentation shows PubKeyEd25519 for native accounts; EVM compatibility implies standard Secp256k1. Crypto library confirms BIP32-ed25519 and VRF implementations.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All spend authorization is Ed25519 (native) or Secp256k1 (EVM) — both vulnerable to Shor's algorithm — Readiness & Risk Cap: 40
Assurance: Ed25519 and Secp256k1 vulnerability to Shor's algorithm is well-established and does not require specialized audit to confirm.
GateChain operates a dual-architecture system: native chain using Ed25519 and EVM module using Secp256k1. Both are classical elliptic curve algorithms with no PQC or hybrid alternative.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design prevents long-exposure quantum-vulnerable ownership paths
Claim: GateChain claims its '40-16-byte hash string' address format provides 'post-quantum capacities.' In reality, this is a hash-based address that hides the public key until first spend (similar to P2PKH), but provides no protection once a transaction is signed and the public key is revealed.
Coverage basis: Classical address derivation with hash-based pubkey hiding only.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: Project's 'post-quantum' address claim is unsubstantiated — underlying signatures remain classical — Readiness & Risk Cap: 5
Assurance: The 2020 marketing announcements claim quantum resistance from address format but provide no technical specification. The claim is inconsistent with the Ed25519/secp256k1 implementations found in public code.
Hash-based addresses only protect unspent outputs where the public key has never been revealed. Any account that has sent a transaction has its public key permanently exposed on-chain and is vulnerable to offline quantum key recovery.
Production Cryptographic Protection
Consensus-critical authentication is PQC or hybrid-PQC where applicable
Claim: GateMint PoS consensus uses classical VRF with Ed25519 public-key verification for validator selection and committee voting. No PQC.
Coverage basis: Consensus docs describe VRF proof verification using proposing node's pub key. 2/3 threshold voting by committee members. All classical.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Consensus VRF and validator authentication are entirely classical and quantum-vulnerable
Assurance: VRF implementation in the crypto library uses classical Ed25519-based constructions.
Consensus accounts perform VRF self-selection. Selected accounts form a committee for block proposal and validation. Quantum compromise of validator keys could enable consensus manipulation.
Production Cryptographic Protection
State-integrity and data-availability mechanisms are quantum-safe where applicable
Claim: Hash-based state commitments (Merkle/MPT with Keccak256) provide partial quantum resistance, but supply-binding and authorization rely entirely on quantum-vulnerable signatures. Bridge verification is uncharacterized.
Coverage basis: EVM-compatible state uses standard Merkle Patricia Trie with Keccak256. State transitions are authorized by Ed25519/Secp256k1 signatures. Bridge verification mechanisms are not publicly documented.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: State transitions and supply integrity depend on quantum-vulnerable signature verification.
Assurance: Hash-based state commitment (Keccak256 MPT) provides ~128-bit post-Grover security which is generally acceptable, but this does not protect against forged state transitions via compromised signing keys.
Partial credit (0.25) was considered for hash-based commitment structure, but given that authorization layer that gates all state mutation is fully quantum-vulnerable, the overall state integrity is not quantum-safe. Implementation Score remains 0.
Production Cryptographic Protection
Privacy and proof layers are quantum-safe where applicable
Claim: GateChain does not have a privacy layer or ZK proof system in its core protocol.
Coverage basis: No privacy features, shielded pools, ZK proofs, or confidential transactions are documented in GateChain's architecture.
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
GateChain does not implement privacy features at the protocol level.
Production Cryptographic Protection
P2P transport, node identity, and peer authentication are PQC, hybrid-PQC, or satisfied by design
Claim: No evidence of PQC or hybrid-PQC for P2P transport or node identity.
Coverage basis: No documentation or code references describe P2P-layer cryptography. Node identity in consensus is tied to Ed25519 keys (quantum-vulnerable).
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: P2P transport layer cryptography is not documented. Even if P2P were quantum-safe, consensus and spend authorization remain fully vulnerable, so this subfactor is not the binding constraint.
Node binary is available at github.com/gatechain/node-binary. P2P crypto details are not publicly documented.
Production Cryptographic Protection
Critical wallet, custody, HSM, signer, and hardware-wallet workflows support the production PQ/hybrid path
Claim: No PQ wallet, custody, HSM, or hardware-wallet support exists. GateChain hardware wallet uses GT signature algorithm (Ed25519).
Coverage basis: 2020 genesis announcement mentions touch-id hardware wallet with 'built-in GateChain signature algorithm.' No PQ wallet support documented.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Wallet and custody infrastructure is entirely classical. GateChain's native hardware wallet uses Ed25519-based signatures.
No evidence of PQ wallet, HSM, or custody support from Gate or third-party providers.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: 0% of GT value-at-risk is protected. All circulating, staked, bridged, and locked GT resides in quantum-vulnerable accounts.
Coverage basis: ~106 million GT circulating (300M initial - ~187M burned + ~8.55M PoS issuance). All accounts use Ed25519 or Secp256k1. No migration has occurred. The coverage threshold table assigns score 1 (out of 20) for <25% coverage.
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: 100% of GT value-at-risk is quantum-vulnerable with no migration path.
Assurance: Supply figures from official Gate announcement (January 2026). Burn address and cross-chain lock addresses are publicly disclosed and verifiable on-chain. Native GT on GateChain represents a subset of total value; ERC-20 GT on Ethereum and GT on Gate Layer share the same quantum vulnerability profile.
<25% coverage per QRI 9.3.1 → Implementation Score 0.05 (score 1 out of 20 possible). Long-exposure public keys exist for all accounts that have transacted. Dormant/historical holdings on Ethereum (pre-bridge era) and native accounts with exposed keys represent harvest-now-decrypt-later risk.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No critical wallets (treasury, exchange, bridge, foundation) have been migrated to PQ protection. None are PQ-native.
Coverage basis: Bridge lock addresses, burn address, and insurance fund address are all on Ethereum (ECDSA) or GateChain EVM (Secp256k1). No PQ migration of any critical wallet has been announced or evidenced.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Cross-chain bridge lock address (0x76bbb8D5...), burn address, and insurance fund all use quantum-vulnerable cryptography with no migration path.
Assurance: Key addresses are publicly disclosed. All are standard Ethereum/GateChain EVM addresses using Secp256k1.
The Ethereum-GateChain bridge lock address holds the backing for all bridged GT. Compromise of this address via quantum attack would be catastrophic for the entire GT supply.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts are identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: No identification, measurement, deprecation, or migration of legacy vulnerable accounts has occurred.
Coverage basis: No public documentation of vulnerable account inventory, deprecation policy, freeze mechanism, or migration program exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No legacy account identification or deprecation program. The ERC-20 GT contract on Ethereum (0xe66747a101bff2dba3697199dcce5b743b454759) is non-mintable and hosts historical holdings with exposed public keys.
GateChain was not PQ-native at launch. All accounts from genesis (2020) through present use classical cryptography. No mechanism exists to identify or deprecate vulnerable accounts.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: No public quantum migration roadmap exists.
Coverage basis: Exhaustive search of GateChain docs, GitHub, announcements, and Gate Blog reveals no quantum migration roadmap. Gate's May 2026 blog analyzed five other chains' PQ roadmaps without mentioning GateChain.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No quantum migration roadmap, proposal, or design exists — not even at the proposal stage.
Assurance: Gate's own blog comprehensively surveyed PQ roadmaps of ETH, SOL, BNB, NEAR, and TRON (May 2026) without including GateChain — strong evidence no internal PQ work exists.
GateChain has an active upgrade cadence (v17-v21 in 2025-2026) focused on EVM compatibility, EIP adoption, and blob transactions. None of these upgrades address quantum security.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults: PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, and migration prompts
Claim: No PQ account creation, wallet tooling, custody paths, user warnings, education, or migration prompts exist.
Coverage basis: GateChain wallets (desktop, iOS, Android, web, hardware) all use classical Ed25519/Secp256k1. No PQ account type, signature option, or migration prompt is documented.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Users can still create new quantum-vulnerable accounts by default with no warnings about quantum risk.
All account types (Standard, Vault, EVM) default to classical cryptography. No PQ alternative exists.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination: enforcement mechanisms exist and exchange, custody, bridge, wallet, and infrastructure coordination prevents unsafe fallback into vulnerable systems
Claim: No migration enforcement or coordination mechanisms exist.
Coverage basis: No deprecation of classical signatures, no freeze mechanism for vulnerable accounts, no disabled legacy signing paths, and no exchange/bridge/wallet coordination for quantum migration is documented.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: GateChain has governance mechanisms (upgrades via consensus node coordination) that could theoretically enact migration, but no quantum-specific governance process is defined.
The project's established upgrade process (v17-v21) demonstrates technical capability for coordinated upgrades, but this capability has not been applied to quantum migration.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: No quantum-specific emergency disclosure, incident-response, or governance process has been published.
Coverage basis: No security contact, bug bounty program, disclosure policy, or quantum-specific incident response process is publicly documented for GateChain.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: This is an operational gap. It does not independently reduce the QRI Score because the absence of a quantum-specific IR process does not create a new attack path beyond the already-identified quantum-critical vulnerabilities. However, it means that if a quantum vulnerability were discovered or exploited, response coordination would be ad hoc.
Gate runs a centralized exchange with security infrastructure, but no quantum-specific IR playbook for the GateChain protocol has been publicly identified.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms
Claim: GateChain uses no PQC or hybrid-PQC algorithms. All cryptography is classical (Ed25519, Secp256k1, VRF).
Coverage basis: Crypto library implements BIP32-ed25519 and VRF. EVM module uses standard Secp256k1. No NIST PQC standards (FIPS 203/204/205) or other PQ algorithms are implemented.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No PQC algorithms — NIST-standardized or otherwise — are used anywhere in the protocol.
Assurance: The absence of PQC algorithms is confirmed by source code review of the crypto library and API documentation showing PubKeyEd25519.
Ed25519 and Secp256k1 are well-standardized classical algorithms, but they are not quantum-resistant.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit exists for the quantum-critical scope
Claim: No independent cryptographic audit of quantum-critical components has been identified.
Coverage basis: No audit reports for GateChain's cryptography, consensus, bridge contracts, or key management have been found in public sources.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: The absence of audits is noted as an assurance gap. Since the quantum vulnerability of Ed25519/Secp256k1 is a well-established mathematical fact (not an implementation concern), the audit gap does not independently reduce the QRI Score. However, any future PQ migration would require fresh audits.
GateChain's crypto library is open-source but has not undergone published third-party review. The bridge contracts and consensus implementation also lack public audit coverage.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: The classical crypto library is open-source, but no PQC implementation exists to evaluate for reproducibility.
Coverage basis: github.com/gatechain/crypto is public (Apache 2.0 licensed). The codebase implements Ed25519 and VRF with C and Go. No PQC code exists.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: Classical implementation is open-source and verifiable. Given that there is no PQ implementation, the maximum Implementation Score supported by evidence is 0.0.
The crypto library has 5 stars, 2 forks, 4 contributors, last pushed October 2024. It depends on libsodium. The classical implementation appears functional but has not been independently audited.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: No parameter agility or quantum upgrade path is documented.
Coverage basis: No documentation describes how cryptographic parameters could be upgraded, how new signature schemes would be introduced, or how a quantum migration would be executed.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: GateChain has demonstrated the ability to execute coordinated network upgrades (v17-v21), suggesting technical capability exists even though the quantum-specific path is undocumented.
The regular upgrade cadence shows organizational capacity for protocol changes, but no quantum-specific agility planning is evident.
Algorithm & Implementation Assurance
Stateful-signature safety (where applicable)
Claim: GateChain does not use stateful signatures (Ed25519 and Secp256k1 are stateless).
Coverage basis: Ed25519 and Secp256k1 are deterministic stateless signature schemes. No XMSS, LMS, or other stateful PQ scheme is used.
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
N/A for current production scope. Would become applicable if XMSS/LMS-style stateful hash-based signatures were adopted.
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ signature/verification costs could affect safe deployment
Claim: No PQ performance or resource-impact analysis exists.
Coverage basis: No documentation, benchmarks, or analysis of PQ signature sizes, verification costs, block-size impact, gas/fee implications, or node hardware requirements has been published for GateChain.
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: This is a note-only caveat because there is no PQ path to analyze. A performance analysis would only become relevant once a PQ migration design exists. The absence of analysis does not create a new quantum attack path beyond those already identified.
If GateChain were to adopt PQC, performance analysis would be critical given that PQ signatures are typically 10-50x larger than Ed25519/Secp256k1. BNB Chain's May 2026 report showed 40-50% TPS degradation in test environments with ML-DSA-44.
Report metadata