tokenized asset
Superstate Short Duration U.S. Government Securities Fund (USTB) USTB
Superstate USTB (~$741M–$988M AUM) is a tokenized U.S. Treasuries fund deployed as a standard ERC-20/SPL token on Ethereum, Solana, and Plume. It inherits the quantum vulnerability of all three host chains and adds token-specific risk through 4 EOA-controlled admin keys (no multisig, no timelock). The project has published zero quantum-specific work: no cryptographic inventory, no quantum threat model, no PQC migration roadmap, no prototype, and no mainnet PQ support. All spend authorization is classical ECDSA/Ed25519. The admin EOAs have exposed on-chain public keys, making them long-exposure quantum targets. On the positive side, Superstate maintains redundant off-chain ownership records and can forcibly burn/remint tokens, making the system PQ-Recoverable. The fund benefits from 11 classical security audits, formal verification, institutional-grade custody (BNY Mellon), and a strong legal structure (bankruptcy-remote Delaware Trust, SEC regulated). However, per QRI rules, recoverability and classical audit coverage do not raise the quantum readiness score. The QRI Score of 3 reflects the minimal credit earned — partial credit for the documented PQ-Recoverable recovery mechanism (Category 4) and the upgradeable proxy pattern (Category 5) — capped at 10 by the absence of a public cryptographic inventory. Quantum risk has been identified by third parties (Eternax.ai, Yearn risk report) but not formally assessed or acknowledged by the project itself.
PQ-RecoverableInherits L1 ScoreTokenized AssetClassical CryptographyCentralized Admin
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0.25 / 20
Migration Mechanism, Governance & Ecosystem Coordination
2.5 / 15
Migration Status & Value-at-Risk
0 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0 / 5
Critical Quantum Blockers
- No public cryptographic inventory published by the project (Readiness & Risk Cap: 10).
- All spend authorization is ECDSA-only (Ethereum/Plume) or Ed25519-only (Solana) — fully quantum-vulnerable (Readiness & Risk Cap: 40).
- Admin keys are 4 EOAs with ECDSA, all with exposed on-chain public keys; no multisig, no timelock, no PQC migration path. Quantum compromise of the USTB Token Owner EOA alone enables unlimited minting, adminBurn of any holder, contract upgrades, and oracle replacement with zero delay.
- ~$741M–$988M in value-at-risk is 100% quantum-vulnerable with no migration, freeze-deprecation, or protection path for on-chain token holdings.
- No PQC migration plan, roadmap, prototype, testnet, or mainnet support exists.
- Harvest-now-decrypt-later risk: institutional transaction flows are publicly visible on-chain and cannot be retroactively protected by off-chain recovery.
Key Risks
- Quantum compromise of the USTB Token Owner EOA (0xad309bb6f13074128b4f23ef9ea2fe8552afca83) would enable unlimited minting, adminBurn of any holder's tokens, pausing all operations, replacing the price oracle, and upgrading the token implementation — all with no timelock and no multisig threshold.
- Quantum compromise of the AllowList Owner EOA (0x7747940adbc7191f877a9b90596e0da4f8deb2fe) would enable mass freezing of institutional holders by removing addresses from the AllowList, with zero exit paths for affected holders.
- Quantum compromise of the RedemptionIdle Owner EOA (0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765) would enable pausing redemptions and withdrawing USDC from the redemption contract.
- Quantum compromise of the Oracle Owner EOA (0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395) would enable manipulation of NAV checkpoints, affecting subscription and redemption pricing for all holders.
- All ~$741M in on-chain USTB value (plus ~$66M in Aave) is 100% exposed to quantum key-recovery attacks with no migration or protection path.
- Harvest-now-decrypt-later: institutional transaction patterns and counterparty relationships are permanently recorded on public ledgers and cannot be retroactively protected, even if tokens are later recovered off-chain.
- The EVM bridge function relies on Superstate backend to credit destination chains — quantum compromise of admin keys could disrupt or corrupt cross-chain reconciliation.
Assurance Notes
- 11 classical security audits from 3 firms (0xMacro, ChainSecurity, Offside Labs) plus Certora formal verification — all classical in scope; none address quantum threat models or PQC implementation.
- Turnkey TEE-based secure enclaves protect admin private keys at rest but do not mitigate quantum cryptanalysis of ECDSA — a quantum adversary derives the private key from the on-chain public key, not from enclave extraction.
- Off-chain recovery mechanism exists: Superstate maintains redundant ownership records (fund calculation agent, internal records, on-chain) and can forcibly burn/remint tokens. This provides a PQ-Recoverable path but does not prevent quantum-enabled theft, forgery, or unauthorized minting in real time.
- Fund benefits from institutional-grade legal structure: bankruptcy-remote Delaware Statutory Trust, SEC Reg D 506(c), BNY Mellon custody, EY auditor, NAV Fund Services calculation agent. These off-chain protections are strong for classical operational risk but do not block a quantum adversary from compromising on-chain admin keys.
- Admin keys are 4 distinct EOAs with no multisig and no timelock. While key separation reduces single-key blast radius, each EOA's public key is exposed on-chain, making all 4 susceptible to quantum key-recovery attacks.
- No formal quantum-specific incident-response playbook, no quantum disclosure process, and no quantum-security contact documented.
Non-Scoring Caveats
- The off-chain recovery mechanism (freeze, adminBurn, remint from redundant off-chain records) provides a credible PQ-Recoverable path and is a meaningful operational strength, but per QRI §10.1 it does not constitute quantum resistance and does not raise the QRI Score for production protection.
- Turnkey TEE-based key management is strong for classical operational security but does not address the cryptographic vulnerability of ECDSA to quantum Shor's algorithm.
- 11 classical security audits and Certora formal verification demonstrate exceptional classical security diligence, but their scope is entirely classical and provides zero quantum assurance.
- ~15–21% of AUM is held as book-entry shares (off-chain), which are not directly exposed to on-chain quantum key-recovery attacks — however the same legal entity controls both, and book-entry shares can be converted to on-chain tokens.
- USTB's bridge function (EVM bridge()/bridgeToBookEntry()) burns tokens on source chain and relies on Superstate backend to credit destination — this is not a trustless two-way bridge that would create additional QRI caps under the bridge/wrapper rule (§8.2), but the backend dependency is a centralization vector.
- The AllowList freeze risk (removal = permanent freeze with zero exit paths) is a classical centralization concern; quantum compromise of the AllowList EOA would enable targeted or mass freezes of institutional holders.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: No public cryptographic inventory or quantum threat model has been published by Superstate.
Coverage basis: Project self-assessment (absent)
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: No public cryptographic inventory — Readiness & Risk Cap: 10
Assurance: Web search across superstate.com, docs.superstate.com, and github.com/superstateinc confirms zero mentions of 'quantum', 'post-quantum', 'PQC', or 'cryptographic inventory'. Evidence of absence is strong given the project's otherwise thorough public documentation.
Third-party risk identification exists (Eternax.ai 'Highly Critical Quantum Risk 5/5', Yearn risk report notes EOA centralization) but does not substitute for a project-published inventory.
Security Assessment & Evidence Preparedness
Public evidence record supporting quantum assessment
Claim: No quantum-specific evidence record has been published by the project.
Coverage basis: Project self-assessment (absent)
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No quantum-specific code references, specs, audits, transaction examples, or reproducible analytics published by Superstate.
The project's classical audit archive (11 reports) and open-source code constitute a strong classical evidence record but contain zero quantum content.
Production Cryptographic Protection
Spend authorization / transaction signatures
Claim: USTB uses standard ECDSA (Ethereum/Plume) and Ed25519 (Solana) for all spend authorization and permit signatures (EIP-2612). No PQC or hybrid-PQC signatures are implemented.
Coverage basis: Host-chain inherited + token-specific EIP-2612 permit
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All spend authorization is ECDSA/Ed25519-only — Readiness & Risk Cap: 40
Assurance: Verified on-chain: USTB Token Proxy at 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e implements standard OpenZeppelin ERC-20 with EIP-2612 permit() using ECDSA. 0xMacro audit A-2 (Jul 2024) confirms EIP-2612 ECDSA permit signatures. Solana SPL Token-2022 uses Ed25519.
Token inherits host-chain signature scheme. No token-specific custom cryptography beyond ERC-20 standards.
Production Cryptographic Protection
Account/address/public-key exposure and key-derivation design
Claim: Standard Ethereum secp256k1 and Solana Ed25519 account models. Long-exposure public keys for all transacted addresses including admin EOAs.
Coverage basis: Host-chain inherited
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All 4 admin EOAs have exposed on-chain public keys with extensive transaction history — long-exposure targets
Assurance: All 4 admin EOAs confirmed on-chain with code size 0 (Yearn risk report, April 2026). USTB Token Owner has 161+ transactions, AllowList Owner has 221+, RedemptionIdle Owner and Oracle Owner also have transaction history — public keys are fully exposed.
No PQ key-derivation scheme, no stealth addressing, no address rotation mechanism. Institutional holders' addresses are visible on-chain through AllowList-gated transfers.
Production Cryptographic Protection
Consensus-critical authentication
Claim: USTB is a token, not a consensus network. Consensus authentication is handled by host chains (Ethereum, Solana, Plume).
Coverage basis: N/A — token does not operate consensus
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
State-integrity and data-availability mechanisms
Claim: USTB relies on host-chain state integrity (Ethereum EVM storage, Solana account model). No custom cryptographic commitment schemes, accumulators, or KZG/pairing-based verification.
Coverage basis: N/A — no custom state-integrity cryptography
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Verified from source code at github.com/superstateinc/ustb — SuperstateToken.sol extends ERC20Upgradeable, PausableUpgradeable, Ownable2StepUpgradeable. No custom cryptographic primitives.
Production Cryptographic Protection
Privacy and proof layers
Claim: USTB has no privacy layer, ZK proofs, shielded transactions, note encryption, viewing keys, or stealth addresses.
Coverage basis: N/A — no privacy layer exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: The absence of a privacy layer means harvest-now-decrypt-later attacks can collect complete institutional transaction histories from public ledgers. This is noted as a privacy risk in the Eternax.ai assessment but does not create a separate QRI-scored privacy subfactor since no privacy layer exists to evaluate.
While USTB has no privacy layer to score, the public visibility of institutional flows creates a permanent harvest-now-decrypt-later exposure that off-chain recovery cannot retroactively fix.
Production Cryptographic Protection
P2P transport, node identity, and peer authentication
Claim: USTB is a token, not a P2P network. Node identity and peer authentication are handled by host chains.
Coverage basis: N/A — token does not operate a P2P network
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
Critical wallet, custody, HSM, and hardware-wallet workflows
Claim: Admin keys are 4 EOAs managed via Turnkey TEE-based secure enclaves. No PQ-protected signing path, no hybrid-PQC custody workflow, and no hardware-wallet support for PQC signatures.
Coverage basis: Token-specific admin key custody
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: 4 EOA admin keys with no multisig, no timelock, no PQC custody path
Assurance: Turnkey TEEs protect key material at rest (extraction resistance) but the signing algorithm remains ECDSA secp256k1. A quantum computer running Shor's algorithm derives the private key from the on-chain public key without accessing the enclave. The Yearn risk report (April 2026) confirms all 4 admin addresses are EOAs (code size 0) with no multisig on any.
Turnkey documentation referenced by Superstate security page; exact TEE architecture and attestation verifiability not independently confirmed. Even with perfect TEE security, ECDSA remains quantum-vulnerable.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected
Claim: ~$741M–$988M total AUM; 0% is quantum-protected. All on-chain USTB (~$620M Ethereum, ~$10M Plume, ~$3M Solana) relies on quantum-vulnerable ECDSA/Ed25519.
Coverage basis: On-chain token value + DeFi TVL
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: ~$741M–$988M value 100% quantum-vulnerable
Assurance: Multiple independent sources confirm AUM: Superstate official page ($987.82M as of May 2026), DefiLlama ($772M TVL), RWA.xyz ($811M), CoinGecko ($741M market cap). Distribution: Ethereum ~83% on-chain + ~16% book-entry. Aave integration holds ~$66M USTB TVL. All on-chain value is quantum-vulnerable.
Book-entry shares (~$155M, ~16% of AUM) are not directly exposed to on-chain quantum attacks, but the same admin keys control conversion between book-entry and on-chain tokens.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No critical wallets (admin EOAs, treasury, custody addresses) have been migrated to PQC or hybrid-PQC. All 4 admin EOAs remain classical ECDSA.
Coverage basis: Token-specific admin keys
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: 4 admin EOAs fully classical, no migration
Assurance: Yearn risk report (April 2026) verified all 4 admin addresses on-chain as EOAs with code size 0. No multisig, no timelock on any. The USTB Token Owner controls mint, adminBurn, pause, oracle upgrade, and proxy upgrade — compromise of this single EOA is catastrophic.
No evidence of any migration planning for admin keys. No multisig adoption, no timelock addition, no PQC signing path documented.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts identified, measurable, deprecated, or proven not to exist by design
Claim: No quantum-specific inventory of vulnerable accounts, UTXOs, or contracts has been published. No deprecation, freeze, or burn policy exists for quantum-vulnerable holdings.
Coverage basis: Token-specific migration inventory
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No quantum-specific inventory, deprecation policy, or migration measurement published by Superstate. The AllowList provides a technical mechanism to freeze addresses, but this has not been purposed for quantum-vulnerable account deprecation.
The adminBurn function and AllowList removal could theoretically serve as freeze/deprecation mechanisms, but no quantum-specific policy exists.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap
Claim: No public quantum migration or protection roadmap exists.
Coverage basis: Project roadmap (absent)
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Web search across superstate.com, docs.superstate.com, and github.com/superstateinc confirms zero quantum migration content. The project's public roadmap (Invesco transition, DeFi integrations) contains no quantum-related items.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults
Claim: No PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, or migration prompts exist.
Coverage basis: Token-specific migration tooling
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No PQ account creation, no hybrid signature support in token contracts, no wallet integration for PQC, no user-facing quantum warnings in documentation or UI.
The AllowList-gated nature of USTB means all holders are known KYC'd entities — this could facilitate coordinated migration in the future but no such coordination exists today.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination
Claim: No quantum-specific enforcement mechanisms exist. No deprecation of legacy signing, no restricted withdrawals, no mandatory migration deadline. However, Superstate maintains off-chain records and can forcibly burn/remint tokens or reinstate portfolios if an allowlist address is compromised.
Coverage basis: Recoverability mechanism (implemented)
Implementation score: 0.5 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: The adminBurn function and pause/unpause capabilities could theoretically enforce migration, but no quantum-specific enforcement policy or timeline exists. No exchange, custody, or bridge coordination for quantum migration has been documented. The off-chain recovery mechanism provides a PQ-Recoverable path but does not constitute quantum resistance.
Per QRI §10.1, the recovery mechanism earns partial credit (0.50) for having a credible enforcement/recovery path, but it does not prevent the initial quantum-enabled compromise. This supports the PQ-Recoverable tag.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: No quantum-specific incident response process exists. General security contact ([email protected]) and bug bounty program are documented but make no reference to quantum threats.
Coverage basis: Token-specific incident response
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: The security page documents a bug bounty program, security contact, and Turnkey key management but does not mention quantum threats, cryptographic migration, or post-quantum incident response. The off-chain recovery mechanism (redundant records + adminBurn/remint) provides a credible general recovery path but is not formalized for quantum-specific scenarios.
Per QRI §8.2, the absence of a formal quantum-specific incident-response playbook does not by itself create a Readiness & Risk Cap. It is recorded as an assurance caveat.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms
Claim: No PQC or hybrid-PQC algorithms are implemented anywhere in the USTB token system.
Coverage basis: Token-specific algorithm selection
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Source code review confirms exclusive use of standard Solidity/OpenZeppelin cryptographic patterns (ECDSA, keccak256). No CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+, or any other PQC algorithm is referenced or implemented.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit for quantum-critical scope
Claim: 11 classical security audits exist but none address quantum-critical implementation. No quantum-specific audit has been performed.
Coverage basis: Token-specific audit coverage
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: 11 audits (0xMacro A1-A9, ChainSecurity 2023, Offside Labs May 2025) plus Certora formal verification provide exceptional classical assurance. However, all audits are scope-mismatched for quantum readiness — they verify correctness of ECDSA-based ERC-20 implementation, not PQC or hybrid-PQC security. Per QRI §6.4, scope-mismatched audits support only the audited (classical) component.
The audit program demonstrates strong security discipline that would benefit any future PQC migration, but currently provides zero quantum assurance.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: No quantum-critical implementation exists to evaluate for open-source reproducibility.
Coverage basis: N/A — no PQ implementation exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Classical contracts are open source on GitHub (superstateinc/ustb) with verified Etherscan deployments. This would support a future PQC implementation audit but does not earn QRI credit for a nonexistent quantum-critical implementation.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path documented
Claim: USTB contracts use the OpenZeppelin upgradeable proxy pattern (EIP-1967). All 3 proxy contracts (USTB Token, AllowList, RedemptionIdle) can be upgraded by their respective ProxyAdmin owners. This provides architectural upgrade capability but no PQ-specific upgrade path is documented.
Coverage basis: Token-specific upgrade mechanism
Implementation score: 0.25 · Evidence confidence: High
Issue classification: none · Score treatment: score-reducing
Assurance: The upgradeable proxy pattern (EIP-1967) is well-documented, audited, and demonstrated through 5 token version upgrades (V1→V5_1) and 3 AllowList versions (V1→V3.1). The ProxyAdmin pattern enables implementation swaps. However, no PQ-specific upgrade path (e.g., planned migration to ERC-20 with PQ signature verification) is documented. Scored at 0.25 for public design/documented upgrade mechanism per Implementation Score table.
Upgrades execute immediately with no timelock — this is a classical governance concern but also means a quantum emergency upgrade could be deployed rapidly if needed.
Algorithm & Implementation Assurance
Stateful-signature safety
Claim: No stateful signatures (XMSS/LMS or similar) are used in the USTB token system.
Coverage basis: N/A — no stateful signatures
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Algorithm & Implementation Assurance
Performance and resource-impact analysis for PQ deployment
Claim: No PQ performance or resource-impact analysis has been published.
Coverage basis: N/A — no PQ implementation to analyze
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Report metadata