tokenized asset
OUSG OUSG
OUSG (Ondo Short-Term US Government Treasuries) is a tokenized RWA deployed as a standard ERC-20 token on Ethereum, Polygon, Solana, and XRP Ledger. It inherits the quantum-vulnerable ECDSA/EdDSA spend authorization of all its host chains. Critically, all token-specific administrative functions — including minting, burning, pausing, KYC registry management, contract upgrades, and redemption controls — are secured by a 4-of-7 Gnosis Safe multisig using ECDSA signatures, with no on-chain timelock. Ondo Finance has not published any cryptographic inventory, quantum threat model, PQC migration roadmap, or quantum risk assessment for OUSG. The ToS contains a generic quantum disclaimer that does not constitute QRI-qualifying assessment. With approximately $556M-$625M in AUM (May 2026) and zero quantum readiness work, OUSG represents significant quantum-exposed value-at-risk. The project is at Stage 0 (Unassessed / No Evidence) with a QRI Score of 0/100, capped by the absence of any public cryptographic inventory. Per token inheritance rules (QRI Section 7.2), OUSG shares its host chains' quantum vulnerabilities, with additional token-specific exposure from classical admin keys.
Not AssessedTokenized RWAInherits L1 ScoreECDSA-OnlyNo Quantum Readiness Work
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0 / 15
Migration Status & Value-at-Risk
0 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0 / 5
Critical Quantum Blockers
- No public cryptographic inventory or quantum threat model published by Ondo Finance (Readiness & Risk Cap 0: no public cryptographic inventory)
- All spend authorization on all host chains is ECDSA/EdDSA-only with no PQ or hybrid-PQC path (Readiness & Risk Cap 40: active production spend authorization remains entirely ECC-only)
- Token admin/governance keys are secured by a 4-of-7 Gnosis Safe using ECDSA signatures with no on-chain timelock; quantum key recovery would compromise minting, burning, pausing, contract upgrades, KYC registry, and redemption controls
- No PQC migration roadmap, prototype, testnet, or implementation exists for OUSG or its admin infrastructure
- Ondo Finance has not published any quantum risk assessment, cryptographic inventory, or migration plan for OUSG token contracts or admin multisig
Key Risks
- Quantum key recovery of any 4 of 7 ECDSA multisig signers would grant an attacker full control over OUSG token contracts, including unlimited minting, burning of any holder's tokens, pausing all operations, modifying the KYC registry, and upgrading to malicious contract implementations
- The absence of an on-chain timelock means a quantum-compromised admin multisig could execute destructive upgrades instantly with no user exit window
- All user spend authorization across Ethereum, Polygon, Solana, and XRPL relies on quantum-vulnerable ECDSA/EdDSA signatures inherited from host chains
- OUSG holders have no alternative exit path; all redemptions flow through Ondo-managed contracts controlled by the same ECDSA admin keys
- No migration or recovery mechanism exists for OUSG holders or the protocol itself in the event of quantum compromise
- Multisig signer identities are undisclosed, making it impossible to verify whether signers use secure key management practices or whether keys are stored in quantum-vulnerable configurations
- OUSG is deployed across multiple chains with different quantum readiness postures, creating a complex inherited risk surface with no unified mitigation strategy
- Quantum compromise of the admin multisig could silently modify contract state, whitelist malicious addresses, or drain fund assets before any detection or response
Assurance Notes
- OUSG is a standard ERC-20 token that inherits all host-chain (Ethereum, Polygon, Solana, XRPL) classical ECC vulnerabilities; no PQ-native or hybrid features exist
- Multiple classical smart contract audits exist (Spearbit, Cyfrin, Halborn, Code4rena, Cantina, Zellic — 2025-2026) but none address post-quantum cryptography; audit scope is exclusively classical smart contract security
- Admin/governance functions rely on a 4-of-7 Gnosis Safe multisig using ECDSA signatures controlling whitelisting, contract upgrades, minting, burning, pausing, and fund operations with no on-chain timelock
- Ondo Finance ToS Section 10.3 contains a generic quantum computing disclaimer but this is a legal disclaimer, not a QRI-qualifying cryptographic inventory or quantum threat model
- No public quantum risk assessment, cryptographic inventory, PQC migration roadmap, or quantum-specific incident response process from Ondo Finance
- OUSG AUM approximately $556M-$625M as of May 2026 per multiple sources (ondo.finance $556M May 21, rwa.xyz ~$625M, eco.com ~$650M); all value is quantum-vulnerable
- Multi-chain deployment across Ethereum (ECDSA), Polygon (ECDSA), Solana (EdDSA), and XRPL (EdDSA) creates multiple quantum-vulnerable attack surfaces
- XRPL has a published post-quantum roadmap (April 2026) targeting full readiness by 2028, but this does not protect OUSG token-specific admin keys
- OUSG has minimal DEX liquidity; all exits depend on Ondo-managed redemption paths controlled by the same ECDSA admin keys
Non-Scoring Caveats
- OUSG AUM approximately $556M-$625M (May 2026) representing significant quantum-exposed value-at-risk; exact figure varies by source and date
- KYC/whitelist controls via OndoIDRegistry provide operational compliance layer but do not mitigate quantum key-recovery attacks on admin or user keys
- Token is restricted to qualified purchasers ($100K minimum) — institutional holders may have independent quantum risk management but this is not evidenced
- Off-chain legal structure (Cayman LP) and traditional custody (BNY Mellon via BUIDL/Securitize) may provide recovery paths not captured by on-chain QRI evaluation
- Ondo Chain (announced 2025-2026, not yet launched) is EVM-compatible with permissioned validators — no PQC features announced; not part of current OUSG production scope
- OUSG has no meaningful DEX liquidity; all exits depend on Ondo-managed redemption paths controlled by the same ECDSA admin keys
- 6 of 7 signers overlap between OUSG and USDY multisigs, meaning a single quantum key compromise could affect multiple Ondo products simultaneously
- Deprecated legacy contracts (OUSGManager, CashManager, KYCRegistry) were replaced for operational reasons, not quantum security
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: Ondo Finance has not published a cryptographic inventory of critical public-key mechanisms or a quantum threat model covering attack assumptions, affected assets, and affected layers.
Coverage basis: No evidence of any quantum-specific assessment published by the project.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: cap-applying
Quantum blocker: No public cryptographic inventory or quantum threat model published by Ondo Finance
Assurance: Ondo ToS Section 10.3 mentions quantum computing as a general risk but does not inventory specific cryptographic mechanisms, attack surfaces, or affected assets. No QRI-qualifying risk assessment exists. Reviewed official docs, blog posts, and announcements — zero mention of post-quantum cryptography, quantum risk assessment, or PQC migration.
ToS Section 10.3 states quantum computers 'may present risks to Digital Assets and the Services' — this is a legal disclaimer, not a cryptographic inventory or threat model per QRI requirements.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: No public evidence record supporting a quantum risk assessment exists. Contract addresses, verified source code, and classical audits are publicly available but have not been assembled into any quantum-specific assessment by the project.
Coverage basis: No quantum-specific evidence record published by the project.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Contract code is verified on Etherscan and GitHub. Classical audit reports exist. However, none of this has been organized into a quantum risk evidence record by Ondo Finance.
Third-party analysis (bmic.ai, 2026) identifies OUSG's ECDSA admin key vulnerability but this is not an Ondo-published assessment.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: OUSG is a standard ERC-20 token (and SPL token on Solana, issued currency on XRPL) with no custom cryptographic primitives. All transaction authorization relies on host-chain ECDSA (Ethereum/Polygon), EdDSA (Solana), or ECDSA/EdDSA (XRPL) signatures.
Coverage basis: Token inherits host-chain signature schemes; no PQ or hybrid-PQC spend authorization exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All spend authorization is ECDSA/EdDSA-only with no PQ or hybrid-PQC path
Assurance: Contract is a verified proxy implementing standard ERC-20 with KYC extensions. No custom signature verification. Inherits Ethereum's ECDSA spend authorization model.
Per QRI Section 7.2 (Token Inheritance), OUSG inherently shares the base-layer QRI score of its host chains. All host chains use classical ECC for spend authorization in current production.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design
Claim: OUSG holders use standard Ethereum addresses (exposing public key on spend), Solana addresses (EdDSA public keys), and XRPL addresses. No PQ/hybrid address format or key-derivation design exists. Admin multisig address has sent transactions, exposing signer public keys.
Coverage basis: Standard host-chain address models with no PQ protection.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Public keys of EOAs that have sent transactions are exposed on-chain and vulnerable to long-exposure 'harvest now, decrypt later' attacks.
Admin multisig address (0xAEd4caF2...) has sent transactions, exposing signer public keys. KYC-registered holder addresses that have transferred OUSG also have exposed public keys on their respective chains.
Production Cryptographic Protection
Consensus-critical authentication is PQC or hybrid-PQC where applicable
Claim: OUSG is a token, not a blockchain. It has no consensus mechanism, validator set, or block production of its own.
Coverage basis: Not applicable to a tokenized asset.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
State-integrity and data-availability mechanisms are quantum-safe where applicable
Claim: OUSG token supply integrity is controlled by admin roles (MINTER_ROLE, BURNER_ROLE) secured by the ECDSA multisig. There are no KZG/pairing-based commitments, nullifiers, accumulators, or bridge verification logic in the OUSG token contract itself.
Coverage basis: Token supply integrity depends on ECDSA admin keys.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Token admin/governance keys are ECDSA-secured; quantum compromise would enable unlimited minting/burning and supply manipulation
Assurance: Verified on-chain: ProxyAdmin at 0xba80aa44cc25e85cc30359150dfb1c7d041cf6d5 owned by 4-of-7 Safe at 0xAEd4caF2E535D964165B4392342F71bac77e8367. Roles include MINTER_ROLE, BURNER_ROLE, PAUSER_ROLE, MANAGER_ADMIN. No timelock.
BURNER_ROLE can burn tokens from any address. A quantum attacker controlling the multisig could drain all OUSG holders by burning their tokens or minting unlimited supply.
Production Cryptographic Protection
Privacy and proof layers are quantum-safe where applicable
Claim: OUSG has no privacy layer, ZK proofs, shielded transactions, note encryption, or stealth addresses.
Coverage basis: Not applicable.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
P2P transport, node identity, and peer authentication are PQC, hybrid-PQC, or satisfied by design
Claim: OUSG is a token, not a P2P network. It has no independent node discovery, peer authentication, or P2P transport layer.
Coverage basis: Not applicable.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
Critical wallet, custody, HSM, signer, and hardware-wallet workflows support the production PQ/hybrid path
Claim: OUSG admin operations are controlled by a 4-of-7 Gnosis Safe multisig using ECDSA signatures. No PQ/hybrid wallet, custody, HSM, or hardware-wallet support exists for admin key management. OUSG holders use standard ECDSA/EdDSA wallets.
Coverage basis: All critical wallet workflows rely on classical ECC.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Admin multisig is a standard Gnosis Safe (Safe 1.3.0) using ECDSA; no PQ hardware signing or custody path exists
Assurance: Safe 1.3.0 implementation at 0xd9db270c1b5e3bd161e8c8503c55ceabee709552 verified on Etherscan. Multisig signers use standard ECDSA keys with identities undisclosed.
The 6/7 signer overlap between OUSG and USDY multisigs means a single quantum key compromise could affect multiple Ondo products simultaneously.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: 0% of OUSG value-at-risk is protected from quantum key-recovery attacks. All approximately $556M-$625M in AUM is fully exposed through both inherited base-layer vulnerabilities and token-specific admin key vulnerabilities.
Coverage basis: No PQ protection exists for any OUSG value.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: 100% of value-at-risk is quantum-vulnerable with no migration, freeze, deprecation, burn, recovery, or policy path
Assurance: AUM figures: ondo.finance $556M (May 21 2026), rwa.xyz ~$625M (Q1 2026), eco.com ~$650M, tokenisedetfs.com $721.4M (March 2026). All value remains in ECDSA/EdDSA-controlled addresses with no PQ protection regardless of exact figure.
OUSG holders include institutions and qualified purchasers. Long-exposure risk applies to all holder addresses that have transferred OUSG, exposing their public keys on-chain.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No critical wallets — including the admin multisig, Coinbase Prime custodian address, InstantManager, OUSG Recipient, or any operational addresses — have been migrated to or protected by PQC or hybrid-PQC controls.
Coverage basis: All critical wallets use classical ECC.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Admin multisig (4-of-7 Safe) and all operational wallets are ECDSA-only with no migration path
Assurance: All critical addresses confirmed via Ondo docs and Etherscan. Admin multisig at 0xAEd4caF2... is a standard Gnosis Safe with no PQC capabilities. Coinbase Prime custodian address (0xF67416a2C49f6A46FEe1c47681C5a3832cf8856c) is also an ECDSA EOA.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts are identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: No legacy vulnerable pool identification, measurement, deprecation, or migration has been performed for quantum security purposes. OUSG has deprecated legacy contracts (OUSGManager, CashManager, KYCRegistry) but these were replaced for operational reasons, not quantum security.
Coverage basis: No quantum-motivated deprecation or pool identification exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Legacy contract deprecations are documented in Ondo's address page but were operational upgrades, not quantum-migration actions.
Deprecated legacy contracts include OUSGInstantManager (deprecated April 2025), KYCRegistry (deprecated April 2025), OUSGManager (deprecated April 2024), and CashManager (deprecated December 2023). None involved PQC.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: No public migration or protection roadmap with sequencing, activation criteria, and dependencies exists for OUSG or its admin infrastructure.
Coverage basis: No roadmap published.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No PQC migration roadmap exists for OUSG or its admin infrastructure
Assurance: Ondo Summit 2026 (February 2026) made no quantum-related announcements. Ondo Chain roadmap focuses on institutional RWA infrastructure, not quantum migration of existing tokens.
XRPL's post-quantum roadmap (targeting 2028) is a host-chain initiative, not an Ondo-published OUSG migration plan. Ondo has not published any quantum risk assessment or migration plan for OUSG.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults
Claim: No PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, or migration prompts exist for OUSG.
Coverage basis: No migration accessibility exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Ondo's user-facing documentation and web app contain no quantum-related warnings, migration guidance, or PQ account options.
OUSG minting/redemption is primarily through the ondo.finance web app using standard browser wallets (MetaMask, etc.) with classical ECDSA key management.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination
Claim: No enforcement mechanisms exist for quantum migration (no deprecation, freeze, disabled legacy signing, restricted withdrawals, unsafe-path blocking, or mandatory migration deadlines). No exchange, custody, bridge, wallet, or infrastructure coordination for quantum migration exists.
Coverage basis: No enforcement or coordination exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: OUSG has no DEX liquidity; all exits depend on Ondo-managed redemption paths. No quantum-motivated coordination with exchanges, custodians, or wallet providers exists.
OUSG's KYC/whitelist system and PAUSER_ROLE could theoretically be used to enforce migration if Ondo chose to, but no such plan exists.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: No quantum-specific emergency disclosure, incident-response, or governance process has been published by Ondo Finance.
Coverage basis: No quantum-specific IR process exists.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Ondo has an Immunefi bug bounty program and general security practices, but no quantum-specific incident response procedures are documented. This is an assurance-only caveat per QRI Section 7.4: the absence of a quantum IR playbook does not create a new quantum attack path beyond those already identified and scored.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms appropriate to the use case
Claim: OUSG uses no PQC or hybrid-PQC algorithms. All cryptography is classical ECDSA/EdDSA inherited from host chains and the Gnosis Safe multisig implementation.
Coverage basis: No PQC algorithms in use.
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No NIST-standardized PQC algorithms are used anywhere in the OUSG token or admin infrastructure
Assurance: Gnosis Safe 1.3.0 uses ECDSA secp256k1. OUSG token contract (CashKYCSenderReceiver.sol) is standard OpenZeppelin-based ERC-20 with no custom cryptography.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit exists for the quantum-critical scope
Claim: No independent audit covering post-quantum cryptographic security exists. All existing audits (Spearbit, Cantina, Cyfrin, Halborn, Zellic, Code4rena) cover classical smart contract security only.
Coverage basis: No PQC audit exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: Classical audits are current (through 2026) and from reputable firms. However, audit scope is exclusively classical smart contract security — access control, logic bugs, reentrancy, etc. Zero PQC scope. Per QRI Section 7.4, scope-mismatched audits are confidence-only caveats when the quantum-critical property (no PQC implementation) is independently verifiable from on-chain data and source code.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: OUSG token contracts and Gnosis Safe multisig are open source and verified on Etherscan. However, there is no PQC implementation to be open source or reproducible.
Coverage basis: Classical code is open source; no PQC code exists.
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: score-reducing
Assurance: Source code is verified and publicly available. This subfactor scores 0.0 because there is no PQC implementation to evaluate for reproducibility, not because classical code is closed-source.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: No documented parameter agility or future PQC upgrade path exists for OUSG or its admin infrastructure.
Coverage basis: No agility or upgrade path documented.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: OUSG uses OpenZeppelin TransparentUpgradeableProxy which enables contract upgrades via the admin multisig. This provides a technical upgrade path, but no quantum-specific parameter agility or PQC upgrade plan has been documented.
The upgradeable proxy architecture could theoretically support a PQC migration if Ondo chose to implement one, but no such plan exists.
Algorithm & Implementation Assurance
Stateful-signature safety, side-channel, fault-injection, and custody implementation risks
Claim: No stateful PQC signatures (XMSS/LMS) are used, so anti-reuse controls and signing-state discipline are not applicable to the current implementation.
Coverage basis: No stateful signatures in use.
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Algorithm & Implementation Assurance
Performance and resource-impact analysis where PQ signature/verification costs could affect safe deployment
Claim: No performance or resource-impact analysis exists for PQC deployment on OUSG or its admin infrastructure, as no PQC implementation exists to analyze.
Coverage basis: No PQC performance analysis exists.
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: This is an assurance-only caveat because the absence of performance analysis does not create a new quantum attack path; the classical-only implementation is already scored at 0.0 for all protection subfactors. Performance analysis would become relevant if/when Ondo develops a PQC migration plan. PQC signatures are typically larger and slower than ECDSA, but for a token with admin multisig operations (infrequent, low throughput), performance impact would likely be minimal.
Report metadata