QuStream QST

Claim: QuStream has published research papers on IACR ePrint and one peer-reviewed paper (FTC 2025) describing its OPS/SKI approach and quantum threat model. The website identifies quantum threats including harvest-now-decrypt-later and PKI vulnerability.

Coverage basis: Published research and public documentation describe the cryptographic approach at a high level but lack a comprehensive, layer-by-layer cryptographic inventory mapping all critical blockchain mechanisms (spend authorization, consensus, P2P, state integrity) to their quantum-vulnerability status.

Implementation score: 0.5 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: Research papers are primarily IACR ePrint preprints with limited formal review. Only one peer-reviewed publication identified (FTC 2025). The threat model is described narratively but not mapped to specific blockchain layers with vulnerability classifications.

The cryptographic inventory does not clearly identify which specific digital signature algorithm will provide spend authorization and consensus authentication on the native chain. The OPS design addresses symmetric encryption, not asymmetric digital signatures needed for blockchain transaction signing.

• https://qustream.com/
• https://qustream.co.uk/
• https://qustream.com/documentation
• https://qustream.com/roadmap
• https://qustream.com/network

Claim: IACR papers, website documentation, Solana token explorer, GitHub staking contract, and roadmap provide some evidence for the quantum risk assessment.

Coverage basis: Partial evidence exists but lacks blockchain-protocol code, consensus specifications, mainnet transaction data, or audit coverage for quantum-critical components.

Implementation score: 0.5 · Evidence confidence: Low

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: GitHub contains only the qst-staking Solana contract. No core blockchain protocol, consensus, or encryption implementation is public. Halborn audit is scope-mismatched (Solana staking contract only, not quantum-critical).

The evidence record is insufficient to verify any quantum-safe blockchain implementation claims. The IACR preprints describe the OPS concept but provide no test vectors, reference implementation, or blockchain-specific security analysis.

• https://github.com/qustream
• https://qustream.com/documentation
• https://solflare.com
• https://www.halborn.com/audits/qustream/qst-staking-protocol-decbba

Claim: QST is an SPL token on Solana; all spend authorization uses Solana's Ed25519 signatures, which are quantum-vulnerable. The native L1 quantum-safe spend authorization is not in production.

Coverage basis: Current production scope (Solana SPL token) has no PQ/hybrid-PQC spend authorization. Native L1 claims are roadmap only.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: QST token production spend authorization is entirely Ed25519 (Solana) with no PQC protection. Native L1 not on mainnet.

Assurance: Solana SPL token contract and Ed25519 dependency are verifiable from multiple independent sources.

The project's quantum-safe claims for spend authorization apply only to the planned native L1, which has not launched on mainnet.

• https://solflare.com
• https://qustream.com/token
• https://coinmarketcap.com/currencies/qustream/

Claim: QST token accounts on Solana use Ed25519 public keys derivable from on-chain activity. No PQ/hybrid controls exist for the production scope.

Coverage basis: Solana account model with Ed25519 keypairs. Long-exposure quantum vulnerability applies to all transacted addresses.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: Top 5 QST holder addresses on Solana are publicly visible; no PQC address format exists.

The planned native chain claims a 'key-less protocol' with one-time-use keys, but this is not verifiable in production.

• https://solflare.com
• https://www.lbank.com/price/qustream

Claim: QST token inherits Solana's consensus, which uses Ed25519 validator signatures and is quantum-vulnerable. Native L1 claims PoS consensus with quantum-safe properties but is not on mainnet.

Coverage basis: Solana consensus for token transactions. Native L1 consensus design is roadmap only.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Native L1 consensus not on mainnet; current production scope uses Solana consensus (Ed25519).

Assurance: Native L1 consensus design describes validator nodes and QRNG entropy but provides no specification for the consensus-authentication signature scheme.

The native L1 network page describes PoS consensus with QRNG-based entropy but does not specify what digital signature algorithm validators will use for block certification.

• https://qustream.com/network
• https://qustream.com/roadmap

Claim: QST token state integrity is managed by Solana's classical mechanisms. Native L1 state-integrity design is not evidenced in production.

Coverage basis: Solana state model for SPL tokens. No quantum-safe state-binding evidence for production scope.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: No quantum-safe commitment scheme, accumulator, or state-binding mechanism is specified or verifiable for the current production scope.

The planned native chain does not publicly document its state-integrity commitment scheme.

• https://qustream.com/network

Claim: QST is a standard SPL token with no privacy layer. No shielded transactions, ZK proofs, or privacy-specific cryptographic mechanisms exist.

Coverage basis: Standard fungible token with transparent balances.

Implementation score: 0 · Evidence confidence: High

Issue classification: none · Score treatment: not applicable

Privacy subfactor is not applicable to the current production scope.

• https://solflare.com
• https://coinmarketcap.com/currencies/qustream/

Claim: QST token inherits Solana's P2P networking, which uses classical cryptography. Native L1 P2P design is not evidenced in production.

Coverage basis: Solana P2P stack for token transactions.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: P2P is not consensus or spend-critical for the token; however, current production P2P relies on Solana's classical stack with no PQC protection.

The native L1 network page mentions Q-Block distribution and decentralized node network but does not specify P2P authentication algorithms.

• https://qustream.com/network

Claim: All QST wallet and custody interactions use Solana's Ed25519 signatures. No PQ/hybrid wallet support exists for the current production scope.

Coverage basis: Solana wallet ecosystem (Phantom, Solflare, etc.) using Ed25519.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: QuVault wallet and QuStream Authenticator are listed as 'In Progress' on the roadmap and are not available for production use.

Top 5 holder addresses control ~33% of supply via standard Solana wallets with no PQC protection.

• https://solflare.com
• https://phantom.com/tokens/solana/AUuCEHQ7sm2i5GmaHrpE961voWcTY8U6mgrkhcV7pump

Claim: 100% of QST market cap (~$1.7M–$3.3M depending on source) resides on Solana with no quantum-safe protection. Zero value has been migrated to a PQ-secure chain.

Coverage basis: Circulating supply of ~751M–999M QST on Solana; native L1 not launched; zero migration executed.

Implementation score: 0.05 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Zero value-at-risk protected or migrated. All QST value is on quantum-vulnerable Solana.

Assurance: Market cap figures vary between sources ($1.69M on CMC vs $3.27M on LBank); both represent fully exposed value. Top 5 addresses hold ~33% of supply.

Long-exposure vulnerability: all transacted QST addresses have exposed Ed25519 public keys on Solana, enabling offline quantum key-recovery attacks with no time constraint.

• https://coinmarketcap.com/currencies/qustream/
• https://www.lbank.com/price/qustream
• https://qustream.com/token

Claim: No critical wallets (treasuries, exchanges, custodians, bridges, foundations, major protocols) have been migrated to PQ-safe infrastructure. No PQ-native wallet exists in production.

Coverage basis: All QST custody is on Solana with Ed25519.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: Top holder analysis from LBank shows largest holder at 150.3M QST (15.03%) in a standard Solana address. These represent the most attractive quantum-attack targets.

No exchange or custodian has published a QST-specific quantum migration attestation. The native chain is not yet available for custody migration.

• https://www.lbank.com/price/qustream
• https://solflare.com

Claim: The project acknowledges QST is a Solana token requiring migration. The migration plan is described on the token page but provides no measurable snapshot, freeze, deprecation, or burn mechanism.

Coverage basis: Public acknowledgment of vulnerability and planned 1:1 migration exists at roadmap/proposal level.

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: The migration plan states a 1:1 bridge migration but provides no technical specification, snapshot mechanism, bridge security model, or migration timeline beyond 'once the QuStream infrastructure is fully operational.'

The migration plan is a public statement without activation criteria, governance approval, enforcement mechanism, or technical specification for the bridge that would perform the 1:1 conversion.

• https://qustream.com/token
• https://qustream.com/roadmap

Claim: The token page and roadmap describe a planned 1:1 migration from Solana to the native L1 once the infrastructure is fully operational.

Coverage basis: Roadmap-level description exists but lacks activation criteria, technical sequencing, dependency mapping, or milestone dates.

Implementation score: 0.25 · Evidence confidence: Low

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: No specific activation criteria, governance vote schedule, testnet migration dry-run evidence, or dependency-resolution documentation exists. The roadmap shows native infrastructure as 'In Progress' with no completion date.

The migration plan is a single paragraph stating 'Your assets are safe. The migration will be handled through a secure bridge ensuring no loss of value.' No bridge specification, audit, or security model is provided.

• https://qustream.com/token
• https://qustream.com/roadmap

Claim: No migration accessibility exists in production. No PQ/hybrid account creation, wallet support, custody paths, or user-facing migration prompts are available.

Coverage basis: Zero production migration tooling.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: QuVault wallet and QuStream Authenticator are listed as 'In Progress' on the roadmap. Neither is available for production use. No exchange or custody integration for QST migration exists.

No user-facing warnings about quantum vulnerability appear on the token page or staking interface. The migration plan does not describe user-facing migration prompts, education materials, or transaction-path tooling.

• https://qustream.com/token
• https://qustream.com/roadmap

Claim: No migration enforcement mechanisms exist. No freeze, deprecation, legacy-signing disablement, withdrawal restrictions, or unsafe-path blocking is evidenced.

Coverage basis: Zero enforcement or coordination evidence.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: No evidence of exchange, custody, bridge, or wallet coordination for QST migration. No enforcement mechanism (freeze, burn, deprecation, or deadline) has been proposed.

Without enforcement mechanisms, quantum-vulnerable QST tokens on Solana could persist indefinitely even after native L1 launch, creating a permanent two-way value flow risk if a bridge is deployed.

Claim: No public emergency disclosure process, quantum-specific incident-response plan, or governance mechanism for quantum-vulnerability response has been published.

Coverage basis: No evidence of any quantum-specific emergency process.

Implementation score: 0 · Evidence confidence: None

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: This is an operational-readiness gap. Per QRI spec Section 8.2, lack of a formal quantum-specific incident-response playbook does not create a Readiness & Risk Cap by itself. It is noted here for situational awareness.

The project has not published a security contact, vulnerability disclosure program, or quantum-incident governance process. This is an operational note rather than a quantum-critical vulnerability in the current production scope.

Claim: QuStream uses proprietary OPS/SKI based on information-theoretic security, not NIST-standardized PQC. One peer-reviewed paper (FTC 2025) and multiple IACR ePrint preprints describe the design.

Coverage basis: The algorithm is not NIST-standardized or standards-track. Peer review is limited to one conference paper; broader cryptographic community validation is absent.

Implementation score: 0.25 · Evidence confidence: Low

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Quantum blocker: Proprietary, non-standardized cryptography with no broad independent review for blockchain spend authorization or consensus.

Assurance: Per QRI spec: 'A bespoke algorithm may receive points only if it has serious public cryptographic review.' The current evidence (one peer-reviewed paper + preprints) does not meet the threshold for 'serious public cryptographic review' in the blockchain digital-signature context. The OPS design focuses on symmetric encryption for data-in-transit, not asymmetric digital signatures.

The project explicitly rejects computational PQC in favor of information-theoretic security. While mathematically interesting, the approach has not been evaluated by NIST, IETF, IRTF, or any standards body for blockchain use cases. No post-quantum digital signature algorithm has been specified for the native chain.

• https://qustream.co.uk/
• https://qustream.com/documentation
• https://qustream.com/network

Claim: Halborn audited the qst-staking Solana smart contract (September 2025). No audit exists for the quantum-critical OPS/SKI implementation or native blockchain cryptography.

Coverage basis: The only audit is scope-mismatched; it covers a Solana staking contract using classical cryptography, not any quantum-safe implementation.

Implementation score: 0 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: The Halborn audit (2025-09-18 to 2025-09-25) is stale for any future native chain and explicitly scope-limited to the Solana staking smart contract. It provides zero assurance for quantum-critical cryptographic claims.

No independent audit exists for the OPS/SKI implementation, native blockchain consensus cryptography, key distribution mechanism, or quantum-safe digital signature scheme. The qustreamexplainer.com news mentions a 'third-party audit for a major data centre operator' (March 2026) but this is not publicly available and its scope is unknown.

• https://www.halborn.com/audits/qustream/qst-staking-protocol-decbba

Claim: Only the qst-staking Solana contract is open-source. Core blockchain protocol, consensus, OPS/SKI encryption implementation, and key distribution mechanism are not publicly available.

Coverage basis: Single public repository with staking contract code. No core protocol or cryptographic implementation is open-source.

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Assurance: The public GitHub organization contains a single repository (qst-staking, Rust) with zero stars, zero forks, and one contributor. The repository's own README states 'Audit Status: Pending professional security audit.' The core blockchain and encryption code is not available for independent review or reproducibility verification.

Without open-source core implementation, quantum-security claims cannot be independently verified, reproduced, or tested. This creates a single-point-of-trust dependency on the project team's closed-source codebase.

• https://github.com/qustream

Claim: No public documentation exists describing cryptographic parameter agility, algorithm upgrade paths, or migration strategy for the planned native chain's cryptographic primitives.

Coverage basis: Not addressed in public documentation.

Implementation score: 0 · Evidence confidence: None

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: This is an operational/documentation gap. Per QRI spec Section 9.5, parameter agility documentation contributes to Algorithm & Implementation Assurance but its absence does not create a quantum-critical vulnerability in the current production scope.

No documentation of how cryptographic parameters would be upgraded if weaknesses are discovered in the proprietary OPS/SKI design. The proprietary, patent-pending nature of the algorithm may create additional agility constraints.

Claim: No public analysis exists addressing stateful-signature safety, side-channel resistance, fault-injection risks, or hardware-wallet/HSM implementation considerations for the OPS/SKI design in a blockchain context.

Coverage basis: Not addressed in public documentation.

Implementation score: 0 · Evidence confidence: None

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: The OPS/SKI design uses symmetric keys and one-time pads; stateful-signature risks (e.g., XMSS/LMS state management) may not directly apply. However, the absence of any side-channel or implementation-security analysis is an assurance gap.

No analysis of how the 'key-less protocol' and ephemeral key generation would be secured against side-channel attacks, fault injection, or implementation-level key-material leakage in validator, wallet, or HSM environments.

Claim: QuStream has published structural latency analysis comparing QS-OTP to AES-GCM and Kyber in IACR ePrint preprints. No blockchain-specific performance analysis exists for validator/node operation, block validation, gas/fee markets, or archival growth.

Coverage basis: Partial performance analysis exists for data-plane encryption latency but not for blockchain consensus or transaction-processing overhead.

Implementation score: 0.25 · Evidence confidence: Low

Issue classification: assurance-only caveat · Score treatment: confidence-only

Assurance: The latency analysis (Paper 5, IACR ePrint preprint, unreviewed) provides structural/architectural bounds, not empirical benchmarks from deployed hardware. The comparison is between encryption operations, not full blockchain protocol stacks. No analysis of block validation time, mempool policy impact, gas/fee market effects, archival storage growth, or validator hardware requirements exists.

Performance claims (4-6 ns structural latency floor for QS-OTP vs 40-70 ns for AES-GCM) are architectural and unreviewed. The QuStream website itself notes: 'Architectural analysis, not empirical benchmark from deployed hardware.'

• https://qustream.com/
• https://qustream.com/documentation