exchange token
OKB OKB
OKB scores 2/100 on the Quantum Readiness Index, placing it in Stage 1 (Quantum Risk Assessed). OKX has published educational articles acknowledging the quantum threat to ECDSA and blockchain security generally, but has not produced an OKB-specific cryptographic inventory, threat model, or risk assessment. No post-quantum or hybrid cryptographic protection exists in any layer: spend authorization, consensus authentication, state integrity, bridge verification, admin/governance keys, and custody paths all remain entirely dependent on classical ECDSA secp256k1. All ~21M OKB in circulation is quantum-vulnerable with no migration, freeze, deprecation, or recovery path. The OP Stack infrastructure (to which X Layer migrated in October 2025) has a published 10-year PQ roadmap (January 2026) targeting ECDSA EOA deprecation by 2036, but this is a future infrastructure plan with zero current production protection for OKB holders. The Ethereum legacy proxy contract retains quantum-vulnerable admin keys despite L1 withdrawals being discontinued. OKB is a standard EVM-based token that fully inherits the quantum vulnerabilities of its host chains (Ethereum L1, X Layer/OP Stack L2) with the additional centralized risk of upgradeable proxy admin keys.
Roadmap OnlyECC-OnlyToken Inherits Host-Chain RiskUpgradeable Proxy Risk
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0.75 / 15
Migration Status & Value-at-Risk
1 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0 / 5
Critical Quantum Blockers
- No public cryptographic inventory: OKB/X Layer has not published an inventory of critical public-key mechanisms, quantum threat model, affected assets, or affected layers (Readiness & Risk Cap: 10).
- Active production spend authorization remains entirely ECDSA secp256k1-only on both X Layer (OP Stack) and Ethereum. No PQC or hybrid-PQC signature support exists in production, testnet, prototype, or design phase specific to OKB.
- The OKB token proxy contract on Ethereum (OwnedUpgradeabilityProxy) and X Layer bridge/sequencer infrastructure are controlled by ECDSA-based admin keys and multisigs, creating quantum-vulnerable control paths that could enable contract upgrades, supply manipulation, or bridge compromise.
- Material long-exposure quantum-vulnerable value exists (all ~21M OKB circulating supply, exchange-held OKB, bridge-escrowed OKB, and dormant Ethereum ERC-20 OKB) with no migration, freeze, deprecation, burn, or recovery path for quantum-vulnerable keys.
- X Layer inherits Ethereum's ECDSA security model for all user transactions, sequencer authentication, and L1 settlement, with no quantum-safe fallback or migration mechanism.
Key Risks
- All OKB spend authorization on X Layer and Ethereum relies on ECDSA secp256k1, which is broken by Shor's algorithm on a sufficiently powerful quantum computer. Every OKB transaction, transfer, and authorization is quantum-vulnerable.
- The OKB proxy contract on Ethereum (OwnedUpgradeabilityProxy) is controlled by an ECDSA-secured admin key. A quantum attacker who breaks this key could upgrade the contract to a malicious implementation, potentially affecting residual ERC-20 balances or creating confusion across the ecosystem.
- X Layer bridge contracts (OP Stack + AggLayer mode) and sequencer infrastructure are controlled by classical multisigs and ECDSA keys. Compromise of these keys could enable bridge theft, malicious state transitions, or forced network upgrades.
- Long-exposure public keys: all OKB held in Ethereum EOAs that have ever sent a transaction, all sequencer/bridge signer keys, and all admin keys have publicly exposed public keys vulnerable to offline quantum attack with no time constraint.
- No migration mechanism exists for OKB holders to transition to quantum-safe keys or accounts. Users cannot voluntarily protect their holdings against quantum attacks even if they wanted to.
- The OP Stack PQ roadmap (10-year timeline to 2036) is a credible infrastructure-level plan but does not bind OKX to any specific timeline for OKB/X Layer migration, nor does it address token-specific admin keys, bridge governance, or legacy Ethereum contract exposure.
- Dormant and exchange-held OKB on Ethereum (pre-August 2025 migration) with exposed public keys represents a permanent quantum-vulnerable value pool with no deprecation, freeze, or recovery mechanism.
- No quantum-specific incident response process exists. If a quantum attack on ECDSA became practical, there is no public plan for emergency pause, migration acceleration, or user communication.
Assurance Notes
- No independent audit or formal review exists for any post-quantum cryptographic implementation, as none has been proposed or deployed for OKB or X Layer.
- OKX published an educational article acknowledging Ethereum's quantum threat and roadmap, but this does not constitute a project-specific cryptographic inventory or mitigation plan for OKB or X Layer infrastructure.
- X Layer migrated from Polygon CDK to OP Stack in late 2025; both architectures rely entirely on classical ECDSA secp256k1 for user transactions, sequencer authentication, and L1 settlement.
- The OP Stack Post-Quantum Roadmap (January 2026) commits to a 10-year deprecation of ECDSA EOAs by January 2036, but this is a future infrastructure-level plan with no current production protection for OKB holders.
- OKB underwent two non-quantum migrations in 2025: (1) Ethereum ERC-20 to X Layer native gas token (August 2025), and (2) X Layer architecture migration from Polygon CDK zkEVM to OP Stack (October 2025). Neither migration introduced any post-quantum cryptographic protections.
- The Ethereum OKB proxy contract (OwnedUpgradeabilityProxy at 0x75231f58b43240c9718dd58b4967c5114342a86c) remains deployed with admin/upgrade keys controlled by ECDSA-secured addresses. Ethereum L1 withdrawals were stopped in August 2025, but residual balances and the proxy admin remain quantum-vulnerable.
- No formal quantum-specific incident response playbook, performance benchmark for PQC operations, or exchange/custody migration attestation exists for OKB.
Non-Scoring Caveats
- The Optimism Post-Quantum Roadmap (January 2026) provides a credible infrastructure-level migration path for OP Stack chains including X Layer, but it is a 10-year plan with no current production protection. This roadmap is Optimism's, not OKX's, and does not address OKB-specific token contract admin keys or bridge governance.
- OKX's educational articles on quantum computing and blockchain security ('How Ethereum is Preparing for the Quantum Computing Era', November 2025; 'Quantum Computing and Blockchain: Navigating the Looming Cryptographic Threat', July 2025) show organizational awareness but are general educational content, not OKB/X Layer-specific risk assessments.
- The August 2025 OKB smart contract upgrade removed minting and burning functionalities and fixed total supply at 21M, which incidentally limits supply-manipulation blast radius but does not address quantum-vulnerable spend authorization or admin key exposure.
- No exchange or custody migration attestations exist for OKB; all exchange-held and custodied OKB is secured by classical ECDSA keys.
- Future PQ-to-PQ upgrade uncertainty for OP Stack chains is a roadmap concern that does not affect the current evaluation given the absence of any current PQ protection.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory of critical public-key mechanisms and public quantum threat model
Claim: OKX has published educational articles about quantum threats to blockchain/Ethereum but has not published a cryptographic inventory specific to OKB or X Layer.
Coverage basis: Published educational content only; no formal inventory exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No public cryptographic inventory exists for OKB or X Layer (Readiness & Risk Cap: 10).
Assurance: OKX has published 3+ educational articles on quantum threats (2025–2026), demonstrating organizational awareness. However, none constitutes a formal cryptographic inventory identifying specific public-key mechanisms, attack assumptions, affected assets, or affected layers for OKB or X Layer. Articles discuss Ethereum and Bitcoin generally.
The absence of a cryptographic inventory is the most restrictive Readiness & Risk Cap (10). OKX's articles are general educational content, not an OKB-specific inventory.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: No structured public evidence record (code references, specs, audits, transaction examples, reproducible analytics) exists to support an OKB-specific quantum risk assessment.
Coverage basis: No structured evidence record; token contract code is public on Etherscan but no quantum analysis exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: The OKB token contract source code is publicly verifiable on Etherscan and GitHub, confirming standard ERC-20 with OwnedUpgradeabilityProxy. However, no quantum-specific analysis, audit, or evidence record has been published by OKX.
The raw contract code is available but has not been analyzed or presented by OKX in a quantum-risk context.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: OKB transactions on both X Layer (OP Stack) and Ethereum use exclusively ECDSA secp256k1 signatures. No PQC or hybrid-PQC signature support exists.
Coverage basis: X Layer is an EVM-equivalent OP Stack L2 using standard Ethereum account model; Ethereum ERC-20 OKB uses standard ECDSA
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All spend authorization is ECDSA-only. Shor's algorithm breaks ECDSA, enabling key recovery from public keys and unauthorized spending.
Assurance: X Layer docs confirm EVM equivalence with standard Ethereum account model. OP Stack PQ roadmap (Jan 2026) confirms current ECDSA dependency and targets 2036 for deprecation. No hybrid-PQC or PQC signature path exists in production on X Layer or Ethereum for OKB.
This is the most fundamental quantum vulnerability. Every OKB transfer, trade, and authorization relies on cryptography broken by quantum computers.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design prevents long-exposure quantum-vulnerable ownership paths
Claim: OKB uses standard Ethereum account model where public keys are exposed on first transaction. All transacted EOAs, admin keys, bridge signers, and sequencer keys have publicly visible public keys vulnerable to offline quantum attack.
Coverage basis: Standard EVM account model; all OKB transactions reveal sender public keys in ECDSA signatures
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Long-exposure public keys from transacted EOAs, admin keys, and bridge signers enable offline quantum key-recovery attacks with no time constraint.
Assurance: The Ethereum account model inherently exposes public keys in ECDSA signatures. No key-derivation design change, stealth addressing, or PQ address scheme has been implemented for OKB on either chain.
Long-exposure (at-rest) attack surface is the most dangerous: attackers can compute private keys offline with no time pressure once quantum capability matures.
Production Cryptographic Protection
Consensus-critical authentication is PQC or hybrid-PQC where applicable
Claim: X Layer uses a trusted sequencer (OP Stack) with ECDSA authentication. L1 settlement relies on Ethereum consensus (BLS validator signatures, classical). No PQC consensus authentication exists.
Coverage basis: OP Stack trusted sequencer model; Ethereum L1 BLS-based validator signatures; AggLayer ZK proof verification
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: X Layer sequencer authentication is ECDSA-based. Ethereum consensus uses BLS signatures (quantum-vulnerable). Both create paths to consensus compromise.
Assurance: OP Stack PQ roadmap acknowledges need to migrate sequencer keys off ECDSA and Ethereum validators off BLS, but no timeline for production deployment. AggLayer ZK proof verification adds another quantum-vulnerable dependency (pairing-based proofs).
OKB as a token inherits this vulnerability from X Layer. Sequencer compromise could enable transaction censorship, reordering, or malicious state transitions affecting all OKB on X Layer.
Production Cryptographic Protection
State-integrity and data-availability mechanisms are quantum-safe
Claim: OKB token contract state integrity depends on Ethereum L1 and X Layer OP Stack security. The Ethereum proxy contract has ECDSA-secured admin keys. Bridge contracts (OP Stack bridge + AggLayer) use classical multisigs.
Coverage basis: Ethereum L1 state integrity; OP Stack optimistic rollup with 7-day challenge window; AggLayer ZK proofs for cross-chain settlement
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: ECDSA-secured proxy admin key can upgrade the OKB contract. Bridge multisigs are ECDSA-based. KZG commitments (Ethereum blobs) and ZK proofs (AggLayer) rely on pairing-based cryptography vulnerable to quantum attack.
Assurance: The Ethereum proxy admin key (OwnedUpgradeabilityProxy) allows the owner to call upgradeTo() and upgradeToAndCall(). A quantum attacker recovering the admin private key could deploy a malicious implementation. Bridge contracts (forked from Polygon zkEVM, now OP Stack bridge) use similar classical multisig patterns.
The August 2025 contract upgrade removed mint/burn but did not change the proxy admin pattern. The admin key remains a single point of quantum failure.
Production Cryptographic Protection
Privacy and proof layers are quantum-safe where applicable
Claim: OKB has no privacy layer. The AggLayer ZK proof system uses pairing-based cryptography (potentially Groth16/PLONK) which is quantum-vulnerable, but this is an infrastructure dependency, not an OKB-specific privacy feature.
Coverage basis: No privacy layer exists for OKB; AggLayer ZK proofs are inherited infrastructure
Implementation score: 0 · Evidence confidence: Medium
Issue classification: none · Score treatment: not applicable
Assurance: While X Layer/AggLayer ZK proofs may be quantum-vulnerable (pairing-based), this is captured under state-integrity (subfactor 4) rather than privacy.
N/A by architecture. OKB has no privacy-specific cryptographic dependencies beyond what is captured in other subfactors.
Production Cryptographic Protection
P2P transport, node identity, and peer authentication
Claim: OKB as a token does not have P2P transport or node identity. These are properties of X Layer infrastructure, not the OKB token.
Coverage basis: Token-level evaluation; P2P is an infrastructure concern
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Marked N/A for token-scope evaluation. P2P quantum vulnerabilities of X Layer and Ethereum are captured indirectly through host-chain inheritance.
Production Cryptographic Protection
Critical wallet, custody, HSM, and hardware-wallet workflows support the production PQ/hybrid path
Claim: No PQ-supporting wallet, custody, HSM, or hardware-wallet workflows exist for OKB. All OKB custody (exchange, personal wallets, institutional) relies on classical ECDSA keys.
Coverage basis: No PQ wallet/custody infrastructure exists for OKB
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No PQ-compatible custody path exists. Exchange-held OKB, institutional custody (BitGo), and hardware wallet OKB (Ledger) are all secured by ECDSA keys with no PQ migration option.
Assurance: BitGo supports OKB/X Layer custody with standard ECDSA key management. Ledger supports OKB via standard Ethereum app. Neither offers PQ signature support for OKB. No HSM vendor has published OKB-specific PQ integration.
This is particularly critical given that the majority of OKB volume and value is held on centralized exchanges (OKX, MEXC, etc.) under ECDSA custody.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: 0% of OKB value is protected. All ~21M OKB (~$1.8B at ~$88/OKB) is secured exclusively by ECDSA keys vulnerable to Shor's algorithm.
Coverage basis: 100% of OKB supply relies on ECDSA; no PQ-protected value exists; coverage <25%
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All OKB value is quantum-vulnerable. No migration, freeze, deprecation, burn, or recovery mechanism exists. Coverage <25% → 1 point earned of 20 weight.
Assurance: Value-at-risk includes: circulating OKB on X Layer, OKB held on OKX and other exchanges, residual ERC-20 OKB on Ethereum (pre-August 2025 migration), bridge-escrowed OKB, and OKB in DeFi protocols. All categories use ECDSA exclusively.
Coverage threshold <25% maps to 1 earned point (of 20 subfactor weight) per QRI 9.3.1. This is the only subfactor contributing positive points to the QRI Score (1.00 of 25 category points).
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No critical OKB wallets (treasuries, exchanges, custodians, bridges, foundation) have been migrated to PQ protection. All use classical ECDSA.
Coverage basis: No wallet migration exists; all critical wallets are ECDSA-only
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: OKX exchange hot/cold wallets, MEXC OKB custody, BitGo institutional custody, bridge multisigs, and the Ethereum proxy admin are all ECDSA-secured with no migration path.
Assurance: The burn of 65.26M OKB and contract upgrade (August 2025) affected supply but did not migrate any critical wallet to PQ protection. The proxy admin key remains ECDSA-secured.
Exchange-held OKB represents the largest concentration of quantum-vulnerable value. OKX exchange custody security is opaque but relies on standard ECDSA key management.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts are identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: No identification, measurement, deprecation, or migration of legacy quantum-vulnerable OKB holdings has been performed.
Coverage basis: No legacy pool identification or deprecation exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No mechanism exists to identify, deprecate, freeze, or burn quantum-vulnerable OKB. Residual ERC-20 OKB on Ethereum with exposed public keys is permanently vulnerable.
Assurance: The Ethereum L1 OKB phase-out (August 2025) stopped new withdrawals to Ethereum but did not address existing vulnerable balances. Holders were advised to migrate to X Layer via OKX Exchange, but this was an operational migration, not a quantum-security measure. Dormant Ethereum OKB with exposed public keys remains quantum-vulnerable indefinitely.
This is a permanent vulnerability for any OKB that remains on Ethereum in addresses that have sent transactions (exposed public keys).
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: No OKB-specific quantum migration roadmap exists. The OP Stack Post-Quantum Roadmap (January 2026) provides an infrastructure-level plan with a 10-year timeline for ECDSA EOA deprecation, but this is Optimism's roadmap, not OKX's, and does not address OKB-specific concerns.
Coverage basis: OP Stack PQ roadmap exists at infrastructure level; no OKB-specific adaptation published
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: The OP Stack PQ roadmap (Jan 2026) is a credible, published infrastructure plan committing to deprecate ECDSA EOAs by 2036, migrate sequencers to PQ signatures, and coordinate with Ethereum on validator-level changes. As X Layer runs on OP Stack, it would inherit these upgrades. However, OKX has not published its own adaptation, timeline, or commitment. The roadmap explicitly states 'Users don't need to take any action today' — confirming zero current protection. Also, the roadmap does not address OKB-specific proxy admin keys or bridge governance.
Scored at 0.25 (roadmap/proposal level) because the OP Stack PQ roadmap exists and is directly applicable to X Layer infrastructure. This is the only subfactor in Category 4 earning non-zero points.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults: PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, and migration prompts
Claim: No PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, warnings, or migration prompts exist for OKB users.
Coverage basis: No migration accessibility features exist
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: OKB holders have no mechanism to migrate to quantum-safe keys, accounts, or custody. Users are locked into ECDSA with no opt-in PQ path.
Assurance: OKX Wallet, Ledger, BitGo, and other OKB-supporting wallets all use standard ECDSA. No PQ wallet integration, account abstraction path, or migration prompt exists. The OP Stack PQ roadmap envisions EIP-7702 account abstraction for migration but this is years away from production.
Even if a user wanted to protect their OKB against quantum attack today, no mechanism exists to do so.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination: enforcement mechanisms, exchange/custody/bridge/wallet coordination, unsafe-path blocking
Claim: No quantum-specific enforcement mechanisms, coordination, or unsafe-path blocking exists for OKB.
Coverage basis: No enforcement or coordination mechanisms exist
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No deprecation, freeze, disabled legacy signing, restricted withdrawals, or mandatory migration deadline exists for quantum-vulnerable OKB paths.
Assurance: While OKX demonstrated coordination capability during the August 2025 OKB migration (Ethereum→X Layer) and the October 2025 X Layer architecture migration (Polygon CDK→OP Stack), these were non-quantum operational migrations. No quantum-specific enforcement infrastructure exists.
The operational migrations of 2025 show organizational capability for coordination but do not address quantum security.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: No public quantum-specific emergency disclosure, incident-response, or governance process exists for OKB or X Layer.
Coverage basis: No quantum-specific incident response process exists
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: No quantum-specific incident response playbook, vulnerability disclosure process, or emergency governance procedure has been published. This is recorded as an assurance caveat rather than score-reducing because the absence of a process does not itself create a quantum-attack path — the attack paths already exist through unprotected ECDSA. However, the lack of a process means response to a quantum emergency would be ad-hoc.
Note-only caveat per Section 7.4: the absence of a formal quantum-specific IR playbook does not create a new attack path. The underlying ECDSA vulnerability is already captured in other subfactors.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms appropriate to the use case
Claim: OKB uses no PQC or hybrid-PQC algorithms. All cryptographic operations use classical ECDSA secp256k1.
Coverage basis: No PQC algorithms in use
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No NIST-standardized PQC algorithms (ML-DSA/Dilithium, SLH-DSA/SPHINCS+, FN-DSA/Falcon) or hybrid constructions are used anywhere in the OKB ecosystem.
Assurance: The OP Stack PQ roadmap has not yet selected a specific PQ signature scheme, stating: 'We don't yet know whether the NIST-standardized lattice-based signatures are the best long-term choice.' This indicates the infrastructure-level algorithm selection is still in early evaluation, not implementation.
Algorithm selection is a prerequisite for any migration. No selection has been made at either the OKB or OP Stack level.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit exists for the quantum-critical scope
Claim: No independent cryptographic or implementation audit exists for any quantum-critical scope of OKB or X Layer, as no PQC implementation exists to audit.
Coverage basis: No PQC implementation, therefore no audit
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No quantum-specific audit can exist when no PQC implementation exists. This subfactor will become relevant only after a PQC implementation is deployed.
Scored 0.00 because there is nothing to audit. This is a consequence of the absence of any PQC implementation rather than an independent failure.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: The OKB token contract is open-source on Etherscan and GitHub, but no PQC implementation exists to evaluate for openness or reproducibility.
Coverage basis: Classical contract is open-source; no PQC code exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: score-reducing
Assurance: OKX maintains public GitHub repositories for the OKB token contract, X Layer bridge service, and X Layer contracts. These are open-source but contain only classical cryptography. No PQC implementation exists to benefit from open-source review.
The classical implementations being open-source is positive for transparency but irrelevant to quantum readiness without PQC code.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: The OKB token contract uses an upgradeable proxy pattern enabling future upgrades, but no parameter agility or PQC upgrade path has been documented.
Coverage basis: Proxy pattern exists but no documented PQC upgrade path
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: The OwnedUpgradeabilityProxy pattern on Ethereum technically allows contract upgrades, which could theoretically support future PQC integration. However, no PQC-specific upgrade path, parameter agility design, or migration specification has been documented. The OP Stack PQ roadmap discusses hardfork-based upgrades for the infrastructure layer but does not address token-level parameter agility.
While the proxy pattern provides technical upgrade capability, the absence of documentation means there is no verifiable plan. The proxy admin key itself is quantum-vulnerable, creating a circular dependency.
Algorithm & Implementation Assurance
Stateful-signature safety, side-channel, fault-injection, state-management, hardware-wallet, HSM, or custody implementation risks are considered
Claim: No PQC signatures are in use, so no stateful-signature safety considerations apply. No analysis of side-channel, fault-injection, or HSM risks for PQC has been performed.
Coverage basis: No PQC signatures in use; no analysis performed
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: score-reducing
Assurance: This subfactor is marked applicable because the spec requires it to be scored even when no PQC implementation exists ('A subfactor may not be marked N/A merely because the project has not secured, implemented, documented, measured, audited, or migrated it'). Score is 0.00 due to absence of any PQC implementation to analyze.
Will become relevant if/when stateful PQC signatures (XMSS/LMS-style) are adopted. Currently no analysis exists because no PQC signatures are deployed.
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ signature/verification costs could affect safe deployment
Claim: No performance or resource-impact analysis for PQC deployment on X Layer or for OKB transactions has been published.
Coverage basis: No PQC performance analysis exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: score-reducing
Assurance: Marked applicable per spec requirements. No PQC performance benchmarks, gas cost analysis, block validation impact assessment, mempool policy analysis, or node hardware requirement evaluation exists. The OP Stack PQ roadmap does not include performance analysis for its proposed PQ migration.
PQC signatures (particularly ML-DSA/Dilithium and SLH-DSA/SPHINCS+) have significantly larger signature sizes and verification costs than ECDSA. Without analysis, the feasibility and cost of deployment are unknown.
Report metadata