exchange token
KuCoin KCS
KuCoin Token (KCS) is a standard exchange/utility token deployed as ERC-20 on Ethereum and native on KuCoin Community Chain (KCC), an EVM-compatible Layer 1 blockchain using Proof of Staked Authority (PoSA) consensus with 29 validators. Both environments rely entirely on classical ECDSA cryptography with no post-quantum implementation, migration plan, or quantum-specific risk assessment for KCS/KCC. KuCoin has demonstrated quantum-risk awareness through educational blog posts and a PQC Gateway Proof of Concept (December 2025) for TLS-level exchange web protection using ML-KEM and Dilithium, but this does not protect on-chain KCS token ownership, KCC consensus validator signatures, or blockchain transaction authorization. All KCS value-at-risk remains in ECDSA-vulnerable addresses and accounts with no migration path, recovery mechanism, or deprecation policy. The project scores at Stage 1 (Quantum Risk Assessed) due to general quantum awareness but lacks any meaningful production protection or migration readiness for the evaluated token scope.
Not AssessedPartial Protection
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0 / 15
Migration Status & Value-at-Risk
1 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0 / 5
Critical Quantum Blockers
- Active production spend authorization remains entirely ECDSA-only on both Ethereum (ERC-20 KCS) and KCC (native KCS)
- KCC consensus (Proof of Staked Authority) uses ECDSA validator signatures with no PQC or hybrid-PQC protection
- No public cryptographic inventory exists cataloging KCC/KCS critical public-key mechanisms, attack assumptions, affected assets, or affected layers
- No blockchain-level PQC migration plan, roadmap, testnet, or deployment exists for KCC or the KCS token
- Material long-exposure quantum-vulnerable value exists: all KCS holdings in addresses that have sent transactions on Ethereum or KCC have exposed public keys vulnerable to offline quantum attacks
Key Risks
- All KCS token ownership on Ethereum (ERC-20) and KCC (native) relies on ECDSA signatures vulnerable to quantum key-recovery attacks via Shor's algorithm
- KCC validator signatures and consensus authentication use classical ECDSA cryptography with no PQC or hybrid-PQC protection; a quantum adversary could forge validator signatures to compromise consensus finality
- Long-exposure attack surface: all KCS holdings in addresses that have sent transactions on Ethereum or KCC have exposed public keys vulnerable to offline quantum attacks
- No migration tooling, user prompts, wallet support, or enforcement mechanisms exist for KCS holders to transition to quantum-safe custody
- No emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities affecting KCS or KCC
- Bridge or wrapper mechanisms between Ethereum ERC-20 KCS and KCC native KCS may preserve quantum-vulnerable value paths without restrictions
- KuCoin exchange custody wallets holding KCS remain ECDSA-vulnerable with no public attestation of PQC migration or hybrid protection
Assurance Notes
- No public cryptographic inventory or quantum threat model specific to KCS token or KCC blockchain exists.
- KuCoin published educational blog posts about quantum computing and blockchain security (April-May 2026), but these focus on Ethereum, Solana, and general industry trends rather than KCS/KCC-specific risk assessment.
- KuCoin released a Post-Quantum Cryptography Gateway Proof of Concept (December 2025) for exchange Web3 connections using ML-KEM and Dilithium, but this does not protect on-chain KCS token ownership or KCC consensus/transaction authorization.
- KCS whitepaper and KCC documentation contain no cryptographic algorithm specifications, signature schemes, or quantum-resistance claims.
- No independent audits, security reviews, or formal assessments of KCS/KCC quantum readiness exist.
- KCC is EVM-compatible with PoSA consensus, inheriting standard ECDSA vulnerability from Ethereum architecture.
- Promotional claim of 'quantum-resistant addressing' found in secondary source (November 2024) is unsubstantiated and contradicted by KCC's EVM/ECDSA architecture.
- KCS exists as both ERC-20 on Ethereum and native token on KCC; both environments rely on standard ECDSA cryptography with no PQC implementation.
Non-Scoring Caveats
- KuCoin's PQC Gateway PoC (December 2025) demonstrates organizational PQC awareness and experimentation but protects only the exchange web TLS session, not KCS token ownership, KCC consensus, or blockchain transaction authorization.
- KCC's 2026 ecosystem roadmap focuses on AI integration, RWA, SocialFi, and Go-DAO governance; quantum security or PQC migration is not mentioned in any KCC roadmap material.
- KuCoin's educational blog posts on quantum computing threats are substantive and demonstrate awareness, but they discuss industry-wide trends and other projects' readiness without committing to a KCC-specific PQC timeline.
- The KCS token exists across at least two chains (Ethereum ERC-20, KCC native), each with independent quantum-vulnerable surfaces that would need separate migration coordination.
- KCC uses a bridge (KCC Bridge) for cross-chain asset transfers. If this bridge uses ECDSA-based signer sets or verification, it represents an additional quantum-vulnerable surface for wrapped/bridged KCS.
Evidence record
Claims and Caveats
Token Inheritance
Spend authorization / transaction signatures
Claim: KCS is a standard ERC-20 token on Ethereum at contract 0xf34960d9d60be18cc1d5afc1a6f012a723a28811
Coverage basis: Token inherits host chain (Ethereum) ECDSA cryptographic properties
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: ERC-20 KCS on Ethereum inherits ECDSA vulnerability; no PQC or hybrid protection exists
Assurance: Etherscan confirms standard ERC-20 contract with no custom cryptographic primitives
Standard ERC-20 implies classical ECC signatures for ownership; no evidence of PQ migration or hybrid
Production Cryptographic Protection
Spend authorization / transaction signatures
Claim: KCC is EVM-compatible Layer 1 using standard ECDSA cryptography for transaction authorization
Coverage basis: Native token on EVM chain inherits classical ECDSA
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: KCC native KCS transactions use ECDSA with no PQC protection
Assurance: KCC official documentation confirms EVM compatibility and PoSA consensus; no PQC mentions
Standard EVM architecture means all active transactions are vulnerable to quantum key-recovery attacks
Consensus Authentication
Consensus-critical authentication
Claim: KCC uses Proof of Staked Authority (PoSA) consensus mechanism with classical validator signatures
Coverage basis: Consensus relies on classical cryptography
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: KCC validator signatures and consensus authentication remain classical with no PQC or hybrid-PQC protection
Assurance: No evidence of PQC or hybrid-PQC validator signatures in KCC documentation; KCC uses 29 validators with PoSA
PoSA consensus relies on classical signatures vulnerable to quantum attacks; validator signatures use ECDSA
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: KuCoin published educational blog posts about quantum computing and blockchain security (April-May 2026)
Coverage basis: General industry commentary, not KCS/KCC-specific assessment
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: Blog posts acknowledge quantum threat to blockchain generally but do not inventory KCS/KCC cryptography or provide KCS-specific threat model
Educational content focuses on Ethereum, Solana, and industry trends; no KCS/KCC cryptographic inventory or risk assessment
Production Cryptographic Protection
Account, address, public-key exposure
Claim: KCS uses standard Ethereum/KCC addressing with ECDSA key derivation
Coverage basis: Classical ECC addressing with long-exposure vulnerability
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All KCS holdings in addresses that have sent transactions have exposed public keys vulnerable to offline quantum attacks
Assurance: Standard Ethereum/KCC addressing confirmed; no PQC address schemes or key-derivation protections
Long-exposure attack surface for all transacted addresses
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected
Claim: No KCS value has been migrated to quantum-safe custody
Coverage basis: 0% coverage; all value remains in ECDSA-vulnerable addresses
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, or recovery path
Assurance: No evidence of any KCS migration to PQC addresses or quantum-safe custody
Per QRI 9.3.1, <25% coverage scores 1 out of 20 points
Migration Mechanism, Governance & Ecosystem Coordination
Public migration roadmap
Claim: No public migration roadmap exists for KCS or KCC post-quantum transition
Coverage basis: No roadmap, sequencing, or activation criteria published
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No migration roadmap or tooling for KCS/KCC post-quantum transition
Assurance: KCS whitepaper and KCC documentation contain no quantum migration plans; KCC 2.0/3.0 roadmaps focus on performance, not PQC
Independent analysis confirms no comprehensive migration plan announced as of April 2026
Production Cryptographic Protection
Critical wallet, custody, HSM workflows
Claim: KuCoin released PQC Gateway Proof of Concept for exchange Web3 connections
Coverage basis: Exchange infrastructure only; does not protect on-chain KCS ownership
Implementation score: 0 · Evidence confidence: Medium
Issue classification: operational/product caveat · Score treatment: note-only
Assurance: PQC Gateway PoC is for exchange Web3 connections using ML-KEM and Dilithium; does not protect on-chain KCS token ownership or KCC transaction authorization
Exchange infrastructure work does not address on-chain quantum vulnerability for KCS holders
Production Cryptographic Protection
Account, address, public-key exposure
Claim: Promotional article claims KuCoin integrated 'quantum-resistant addressing'
Coverage basis: Unsubstantiated marketing claim contradicted by primary sources
Implementation score: 0 · Evidence confidence: Very Low
Issue classification: quantum-critical uncertainty · Score treatment: note-only
Assurance: Claim contradicted by KCC's EVM/ECDSA architecture and primary documentation; likely hallucination or false promotional claim
Secondary source from November 2024; no primary source confirmation; KCC uses standard EVM ECDSA addressing
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms
Claim: No PQC algorithms are implemented for KCS token or KCC blockchain
Coverage basis: No PQC implementation exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No PQC or hybrid-PQC algorithms implemented for KCS/KCC
Assurance: No evidence of PQC algorithm implementation in KCC documentation or source code
KCC remains entirely classical ECDSA-based
Report metadata