stablecoin
USDC USDC
USDC scores 10/100 (QRI Stage 2: Mitigation / Development). Circle has published an exemplary post-quantum security whitepaper (May 2026) with comprehensive cryptographic inventory, threat modeling, phased migration strategy, and recovery framework designs — earning full credit for Security Assessment & Evidence Preparedness (5/5). However, zero production PQ protection exists for any token-specific function. All admin key authorization (MasterMinter, Blacklister, proxy-admin, Owner, Pauser) and CCTP bridge attestation remain entirely ECDSA-only. Multiple admin keys have exposed on-chain public keys, creating material long-exposure quantum-vulnerable value-at-risk across ~$76.5B in circulation. User transaction signatures inherit host-chain quantum vulnerability. The Arc L1 blockchain (separate project) plans native PQ support but does not protect current USDC. The whitepaper's proposed dual-signature contract upgrades and recovery frameworks are roadmap items with no production deployment. Score is capped at 40 by the Readiness & Risk Cap (active production spend authorization entirely ECC-only) but the raw Factor Score of ~10 is the binding constraint.
Roadmap OnlyPQ-RecoverableToken Inheritance
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
2 / 20
Migration Mechanism, Governance & Ecosystem Coordination
1.5 / 15
Migration Status & Value-at-Risk
1.5 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
5 / 5
Critical Quantum Blockers
- ECDSA-only admin key authorization: MasterMinter, Blacklister, Pauser, proxy-admin, and Owner roles rely entirely on ECDSA signatures. Compromise of MasterMinter enables unlimited unbacked minting (~$76.5B value-at-risk). Multiple admin keys have exposed public keys from historical on-chain transactions.
- CCTP bridge attestation uses ECDSA m-of-n multisig: Circle's Cross-Chain Transfer Protocol V2 attestation service signs cross-chain minting authorizations with 65-byte ECDSA signatures. A quantum attacker breaking attester keys could forge mint attestations on destination chains.
- No production PQ or hybrid-PQ protection exists for any token-specific cryptographic function. User transaction authorization inherits host-chain quantum vulnerability (ECDSA/Ed25519 on Ethereum, Solana, etc.).
Key Risks
- MasterMinter key compromise via quantum attack enables unlimited unbacked USDC minting, directly threatening the 1:1 USD peg and ~$76.5B in circulation.
- CCTP attester key compromise enables forged cross-chain mint attestations, allowing an attacker to mint USDC on destination chains without corresponding source-chain burns.
- Blacklister key compromise enables targeted or widespread freezing of exchange hot wallets, DeFi protocols, and institutional holdings, causing systemic market disruption.
- Proxy-admin multisig compromise (requiring multiple Shor runs but offering total control) enables deployment of malicious implementation contracts that could steal or manipulate all USDC balances.
- Multiple admin role addresses (Blacklister, Owner, Pauser, MasterMinter controller owner) have been single EOAs with exposed public keys, making them the cheapest quantum targets.
- USDC inherits host-chain quantum vulnerability for all user transactions across 34+ blockchains. Users on quantum-vulnerable host chains cannot protect their USDC holdings through token-level mechanisms.
- Circle cannot unilaterally fix ecrecover dependency; it requires host-chain hard forks. Immutable third-party contracts using ecrecover cannot be upgraded.
- The PQ roadmap's recovery frameworks depend on future regulatory guidance, ZK-proof systems not yet production-ready, and TEE infrastructure that is still in development on Arc.
Assurance Notes
- Circle published a comprehensive Post-Quantum Security Roadmap whitepaper (May 2026) co-authored with Dan Boneh (Stanford), providing detailed cryptographic inventory, threat modeling, phased migration strategy, and recovery framework design. This is a roadmap/design document, not an implemented production system.
- USDC FiatToken contracts (circlefin/stablecoin-evm) are open source and have undergone classical security audits by ChainSecurity and OtterSec. No independent PQ-specific audit exists because no PQ implementation is in production.
- Several admin roles (Blacklister, MasterMinter controller, Pauser, Owner) were historically single EOAs with on-chain public key exposure. Etherscan confirms the Blacklister address (0x10df...) remains active as of 2025-06-28, indicating continued use of the historically exposed key. Whether these keys have been rotated to fresh unexposed keys or higher-threshold multisigs as an interim mitigation is not publicly verified.
- USDC market cap is approximately $76.5B as of June 2026, across 34+ blockchains. This represents the value-at-risk from token-specific admin key or CCTP attestation compromise.
- Circle's Arc L1 blockchain (testnet 2025, mainnet targeted 2026) plans native SLH-DSA-SHA2-128s signature verification and PQ privacy features. Arc is a separate project and its PQ features do not protect current production USDC deployments.
- The PQ whitepaper's proposed recovery frameworks (seed-phrase ZK proofs, TEE-attested recovery, off-chain legal/evidentiary processes) are design proposals only; none are implemented or enforceable in current production.
Non-Scoring Caveats
- Circle's Arc L1 blockchain PQ features (SLH-DSA precompile, TEE privacy layer, PQ validator signatures) are a separate project and do not retroactively protect existing USDC deployments. Recorded as operational/product caveat, not score-reducing.
- The PQ whitepaper discusses ecrecover replacement via protocol-level hard fork; this depends on host-chain governance and cannot be executed by Circle alone. Recorded as operational/product caveat.
- Immutable host-chain contracts using ecrecover cannot be upgraded via proxy pattern. This affects USDC's EIP-2612/EIP-3009 integrations but is a host-chain dependency, not a USDC-specific fixable issue.
- Audit freshness for classical CCTP/FiatToken audits (ChainSecurity, OtterSec) does not affect quantum scoring since there is no PQ implementation to audit. Recorded as assurance-only caveat.
- No formal PQ performance benchmarking exists for production USDC because no PQ implementation exists in production scope. Whitepaper includes qualitative discussion of signature size/throughput tradeoffs.
- Future Arc mainnet launch and USDC migration timeline uncertainty is a roadmap risk, not a current production quantum vulnerability. Recorded as operational/product caveat.
- Missing exchange/custody migration attestations are noted but do not reduce the QRI Score because no PQ migration path exists yet for USDC token-specific functions.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory of critical public-key mechanisms and public quantum threat model
Claim: Circle's May 2026 Post-Quantum Security Roadmap whitepaper provides a comprehensive public cryptographic inventory covering USDC smart contracts, CCTP attestation, Arc blockchain, internal infrastructure, and third-party vendors. Threat model covers at-rest forgery, privacy loss, on-spend attacks, P2P compromise, RPC intercept, and bridge attestation forgery across three phases.
Coverage basis: Public whitepaper with detailed threat taxonomy and attack-surface mapping
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Whitepaper co-authored with Dan Boneh (Stanford). Covers Section 3 (Quantum Ready Now), Section 4 (Transition), and Section 5 (Switch) phases with specific attack-surface tables. This is a design/assessment document, not an implementation.
Exemplary risk assessment work. Full credit is appropriate per QRI §9.1 which rewards serious public quantum risk inventory independent of deployment status.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: Assessment is supported by the whitepaper itself, open-source contract code (circlefin/stablecoin-evm, circlefin/evm-gateway-contracts), CCTP documentation (developers.circle.com), independent third-party analysis (Project Eleven, July 2025), and Invarians CCTP research (May 2026).
Coverage basis: Multiple primary and independent secondary sources
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Multiple independent sources corroborate the vulnerability assessment. Project Eleven analysis independently confirms admin key exposure and quantum-attack scenarios.
Evidence record is strong and multi-sourced.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: USDC token-specific admin functions (mint, burn, blacklist, pause, upgrade, role reassignment) rely entirely on ECDSA signatures. User transfer authorization inherits host-chain cryptographic properties (ECDSA on Ethereum/EVM chains, Ed25519 on Solana, etc.). No PQ or hybrid-PQC signature path exists for any token function in production.
Coverage basis: Source code audit (circlefin/stablecoin-evm FiatTokenV2_2.sol), on-chain transaction evidence, Project Eleven analysis, Circle whitepaper confirmation
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: ECDSA-only admin key authorization for all privileged token functions. MasterMinter controls unlimited minting capacity. Multiple admin keys have exposed public keys from historical on-chain transactions.
Assurance: Verified from public source code and on-chain data. Circle's own whitepaper confirms ECDSA dependency and states transaction signatures will remain ECDSA-only for the near future.
For user transfer authorization, USDC inherits host-chain QRI per §7.2 Token Inheritance. This subfactor is scored for token-specific admin spend authorization only.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design
Claim: Multiple USDC admin role addresses (Blacklister 0x10df..., Owner 0xfcb1..., Pauser 0x4914..., MasterMinter controller owner 0xc1d9...) were single EOAs that have broadcast transactions, exposing their secp256k1 public keys on-chain. These represent long-exposure quantum-vulnerable value. No PQ/hybrid key-derivation or address scheme exists for admin roles.
Coverage basis: Etherscan transaction history, HackMD analysis of USDC role addresses, Project Eleven research
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Long-exposure public keys for admin roles enable offline quantum key-recovery attacks with no time constraint. Blacklister, Owner, Pauser, and MasterMinter controller owner addresses have all sent transactions.
Assurance: Etherscan confirms Blacklister address (0x10df...) remains active with transactions as recently as 2025-06-28. Whether Circle has rotated these keys to fresh unexposed addresses or higher-threshold multisigs is not publicly confirmed.
The proxy-admin is a multisig requiring multiple key compromises, raising the attack cost but not changing the underlying ECDSA vulnerability. The MasterMinter role is a contract (0xe982...), but its owner (0xc1d9...) is an EOA with exposed public key.
Production Cryptographic Protection
Consensus-critical authentication
Claim: USDC is a token, not a blockchain. It has no consensus mechanism, validator set, or block production.
Coverage basis: Architectural design
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
State-integrity and data-availability mechanisms
Claim: USDC supply integrity (preventing unauthorized minting/burning) is protected only by ECDSA admin key authorization. CCTP bridge verification for cross-chain supply consistency uses ECDSA m-of-n multisig attestations. No PQ mechanisms protect token state integrity or bridge verification.
Coverage basis: FiatTokenV2_2 source code, CCTP Attestable.sol contract, Circle developer documentation
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: CCTP attestation uses ECDSA signatures exclusively (65-byte format, keccak256 hash, secp256k1 recovery). Circle's own developer documentation and Attestable.sol source code confirm this. A quantum attacker breaking the attester threshold keys can forge cross-chain mint authorizations.
Assurance: CCTP contracts have been independently audited by ChainSecurity and OtterSec for classical security. These audits do not cover quantum resistance.
CCTP uses m-of-n multisig with ascending-address ordering to prevent signature duplication. This raises the quantum attack cost (must break m of n keys) but does not change the underlying ECDSA vulnerability.
Production Cryptographic Protection
Privacy and proof layers
Claim: USDC is a transparent stablecoin with no privacy features, shielded pools, ZK proofs, or confidential transactions in current production scope.
Coverage basis: Architectural design
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
P2P transport, node identity, and peer authentication
Claim: USDC is a token, not a peer-to-peer network. It has no node identity, P2P transport, or peer authentication layer.
Coverage basis: Architectural design
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
Critical wallet, custody, HSM, and hardware-wallet workflows
Claim: Circle states plans to migrate cold storage to on-chain multi-signature smart contracts and acknowledges HSM/PQ limitations in the whitepaper. However, no production PQ wallet, custody, or HSM workflow exists for USDC admin key operations today. All admin signing remains ECDSA-based.
Coverage basis: Whitepaper Section 4.1 (Cold Storage), Section 4.5 (Key Management and Inventory)
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Admin key custody and signing workflows remain entirely ECDSA-based in production. No PQ HSM, PQ MPC, or PQ multi-sig custody path is operational.
Assurance: Whitepaper Section 4.1 and 4.5 describe planned migration to on-chain multi-signature smart contracts for cold storage and systematic key rotation, but these are roadmap items without production evidence.
Circle's whitepaper candidly acknowledges that PQ threshold signatures and MPC remain immature and that HSM support for PQ algorithms is limited.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected
Claim: 0% of token-specific admin value-at-risk is PQ-protected. The entire ~$76.5B USDC circulating supply (across 34+ chains) is exposed to supply-integrity compromise via quantum attack on admin keys or CCTP attestation. No migration has occurred for any token-specific cryptographic function.
Coverage basis: On-chain supply data (usdc.cool, CoinMarketCap), verified ECDSA-only admin architecture
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: 0% PQ protection coverage for token-specific value-at-risk. Entire ~$76.5B supply exposed to admin key or CCTP attestation compromise.
Assurance: Market cap figure from CoinMarketCap and Circle's own website (~$75.5-76.5B as of June 4-6, 2026). Reserve attestation by Deloitte confirms backing.
User balance value-at-risk from host-chain transaction signature vulnerability is inherited and scored under host-chain QRI per §7.2. This subfactor scores token-specific admin and bridge value-at-risk. Coverage is <25% (effectively 0%), mapping to Implementation Score 0.05 per §9.3.1 thresholds.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: None of Circle's admin wallets (proxy-admin multisig, Owner, MasterMinter controller, Blacklister, Pauser, Minters, CCTP attesters) have been migrated to PQ or hybrid-PQ signature schemes. All remain ECDSA-based in production.
Coverage basis: On-chain transaction evidence, HackMD role analysis, Project Eleven research
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Zero admin wallets migrated to PQ. All critical token-control paths remain ECDSA-dependent.
Assurance: Circle's whitepaper Section 4.1 and 4.5 describe planned cold storage migration to on-chain multi-signature smart contracts and systematic key rotation, but these are not yet implemented.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts identified and measured
Claim: Circle's whitepaper and the Project Eleven analysis have identified the vulnerable admin roles (MasterMinter, Blacklister, Pauser, Owner, proxy-admin) and their on-chain public key exposure. The vulnerable value (~$76.5B supply integrity risk) is measurable. However, no deprecation, migration, freeze, or burn mechanism has been enacted.
Coverage basis: Whitepaper threat model, Project Eleven analysis, HackMD role documentation
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Vulnerable pools are well-identified and documented. Whether historically exposed single-EOA admin keys have been rotated to fresh unexposed keys is not publicly confirmed, representing an uncertainty.
Implementation Score 0.25 reflects public design/identification level per §9.3. The whitepaper proposes recovery frameworks but no enforcement mechanism exists in production.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: Circle's May 2026 whitepaper provides a detailed three-phase roadmap (Readiness → Transition → Switch) with specific attack-surface tables, activation criteria, dependencies on host-chain support, and algorithm choices. Covers USDC contract upgrades, ecrecover replacement, cold storage migration, key management rotation order, and account recovery frameworks.
Coverage basis: Whitepaper Sections 3, 4, and 5 with detailed phase descriptions
Implementation score: 0.25 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: The whitepaper is a detailed design document co-authored with Stanford's Dan Boneh. It provides concrete algorithm choices (SLH-DSA-SHA2-128s), upgrade mechanisms (dual-mode contracts with one-way classical disable), and recovery approaches. However, it remains a roadmap with no deployed code for USDC migration.
Implementation Score 0.25 reflects 'Public design, draft specification, roadmap, or research plan' per §6.2. The whitepaper is unusually detailed for a roadmap but does not yet have public code or testnet for USDC-specific migration.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults: PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, and migration prompts are available
Claim: No PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education materials, or migration prompts exist for current production USDC. All user and admin interactions remain ECDSA-only.
Coverage basis: Absence of any production PQ tooling or migration interface
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No production migration accessibility exists. Users and administrators cannot opt into PQ protection for any USDC function.
Assurance: The whitepaper proposes future mechanisms (dual-signature contracts, public-key registries, hash-and-rotate for ERC-4337 accounts) but none are deployed.
Arc testnet supports SLH-DSA signature verification, but this is for the separate Arc blockchain, not for existing USDC on Ethereum, Solana, or other production host chains.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination: enforcement mechanisms exist and exchange, custody, bridge, wallet, and infrastructure coordination prevents unsafe fallback
Claim: No enforcement mechanisms exist in production. The whitepaper proposes eventual disabling of ECDSA signatures, delisting USDC from non-compliant host chains, and protective freezes of non-migrated accounts. No exchange, custody, bridge, wallet, or infrastructure coordination has occurred for USDC PQ migration.
Coverage basis: Absence of any production enforcement or coordination
Implementation score: 0 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No enforcement mechanism prevents quantum-vulnerable admin operations or cross-chain bridge attestations in current production.
Assurance: Whitepaper Section 5.1 (Hard Switch) describes planned enforcement: rejecting ECDSA-signed transactions, freezing non-migrated accounts, and potentially delisting USDC from non-compliant chains. These are future plans with significant regulatory and operational dependencies.
Enforcement depends on host-chain support (ecrecover replacement requires hard forks) and regulatory guidance (recovery frameworks, abandoned asset treatment).
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: Circle's whitepaper discusses emergency procedures including pausing contracts, disabling classical signatures, and account recovery frameworks. Circle has existing operational security processes (pauser role, proxy upgrade path, blacklist capability). No formal quantum-specific incident-response playbook is publicly documented.
Coverage basis: Whitepaper Sections 5.1 and 5.2, existing FiatToken operational controls (pause, blacklist, upgrade)
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Existing operational controls (pause, blacklist, proxy upgrade) provide some emergency response capability, but these controls themselves are ECDSA-protected. The whitepaper's quantum-specific recovery frameworks are design proposals only. The absence of a formal public quantum-specific IR playbook is an assurance-only caveat per §7.4.
Implementation Score 0.25 reflects that quantum-specific incident response is addressed in the whitepaper design but no formalized public process exists.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms appropriate to the use case
Claim: Current production USDC uses only ECDSA (secp256k1) for all token-specific cryptographic functions. The Arc blockchain plans to use SLH-DSA-SHA2-128s (NIST-standardized), but this is not deployed for current USDC. No PQ algorithms are used in any USDC production scope.
Coverage basis: Source code, on-chain verification, whitepaper confirmation of ECDSA-only status
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No NIST-standardized or broadly reviewed PQ algorithms are used in any USDC production function.
Assurance: Circle's planned algorithm choice (SLH-DSA-SHA2-128s) is NIST-standardized and conservatively chosen (hash-based, no lattice assumption). This choice applies to the future Arc blockchain and planned USDC migration, not current production.
The whitepaper's algorithm rationale (Section 1.0.6) favors SLH-DSA for its hash-based security and SHA2 precompile compatibility on EVM. This is a sound choice for the planned migration but provides zero current production protection.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit exists for the quantum-critical scope
Claim: CCTP and FiatToken contracts have been independently audited by ChainSecurity and OtterSec for classical security. No PQ-specific audit exists because no PQ implementation exists in production. The PQ whitepaper is a design document, not an implementation subject to audit.
Coverage basis: Circle developer documentation citing audit reports
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Existing audits (ChainSecurity, OtterSec) are classical security audits of the CCTP and token contracts. They do not evaluate quantum resistance. Per §6.4, scope-mismatched audits support only the audited component and limit confidence for unaudited scope. Since no PQ implementation exists to audit, this is an assurance-only caveat.
Classical audits confirm the contracts are well-implemented for their current ECDSA-based security model. This does not affect the quantum score but provides assurance context.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: USDC EVM contracts (circlefin/stablecoin-evm) and CCTP contracts (circlefin/evm-gateway-contracts) are open source on GitHub. The PQ whitepaper is publicly available. However, no PQ implementation code exists for USDC migration. The Arc testnet has PQ features but is a separate project.
Coverage basis: Public GitHub repositories, whitepaper availability
Implementation score: 0.25 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Classical implementations are fully open source and reproducible. PQ design is publicly documented. No PQ implementation exists to be open-sourced for USDC migration.
Implementation Score 0.25 reflects that the PQ design is publicly documented (whitepaper) but no PQ implementation code exists for USDC migration. Arc testnet PQ code exists but is a separate project.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: The whitepaper extensively discusses upgrade paths: dual-mode contracts supporting both classical and PQ signatures with a one-way mechanism to disable classical signatures without additional upgrades. The proxy upgrade pattern enables contract logic updates. Algorithm agility is addressed through discussion of multiple NIST candidates and the choice to rely on native host-chain support rather than ad-hoc verification.
Coverage basis: Whitepaper Sections 4.2, 4.3, and 5.1
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: none · Score treatment: not applicable
Assurance: The dual-mode design with one-way classical disable is architecturally sound. However, the whitepaper acknowledges that ecrecover replacement requires host-chain hard forks and that industry consensus on PQ algorithms is still evolving. These are design-level proposals, not implemented capabilities.
Implementation Score 0.25 reflects documented design for upgrade paths. The proxy upgrade pattern is already deployed (FiatTokenProxy), providing a mechanism for future PQ logic deployment, but no PQ implementation exists to deploy through it.
Algorithm & Implementation Assurance
Stateful-signature safety (where applicable), side-channel, fault-injection, state-management risks
Claim: Current production USDC uses stateless ECDSA signatures exclusively. The planned SLH-DSA-SHA2-128s algorithm for Arc is also stateless (SLH-DSA is a stateless hash-based signature scheme). No XMSS/LMS-style stateful signatures are used or planned.
Coverage basis: Whitepaper algorithm discussion, NIST SP 800-208 (SLH-DSA standard)
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ signature/verification costs could affect safe deployment
Claim: The whitepaper discusses PQ signature size implications (SLH-DSA-SHA2-128s: 7,856 bytes vs ECDSA: 65 bytes), throughput impact, gas cost considerations, and the tradeoff between security and performance. It notes that PQ signatures will significantly affect transaction throughput and that this is a reason for the phased approach.
Coverage basis: Whitepaper Sections 1.0.1, 3.1, and Circle blog post (January 2026)
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Performance analysis is qualitative, not based on deployed benchmarks. No formal resource-impact study with gas cost modeling for USDC-specific contract upgrades has been published. Per §7.4, the absence of a formal benchmark is a note-only caveat since no PQ implementation exists to benchmark.
Implementation Score 0.25 reflects that performance considerations are addressed in the design whitepaper. Circle's public blog (January 2026) provides additional context on PQ signature size comparisons across ML-DSA, Falcon, and SLH-DSA.
Report metadata