Worldcoin WLD

Claim: WLD token transfers on Ethereum and World Chain use ECDSA/secp256k1 signatures — no PQC or hybrid-PQC protection exists.

Coverage basis: Standard ERC-20 token on Ethereum L1; World Chain OP Stack L2 inherits ECDSA from Ethereum account model.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: ECDSA-only spend authorization — all WLD transfers are vulnerable to Shor's algorithm key recovery

Assurance: ECDSA/secp256k1 vulnerability to quantum attack is well-established in cryptographic literature. Verified via on-chain contract and OP Stack architecture documentation.

WLD is a standard ERC-20 with no custom spend-authorization cryptography. World Chain is an OP Stack L2 using standard Ethereum EOA model. Both are fully ECDSA-dependent.

• https://etherscan.io/token/0x163f8c2467924be0ae7b5347228cabf260318753
• https://world.org/blog/announcements/introducing-world-chain
• https://www.optimism.io/blog/a-post%E2%80%91quantum-roadmap-for-the-superchain

Claim: Ethereum EOAs that have sent WLD transactions expose secp256k1 public keys on-chain, creating a permanent at-rest attack surface.

Coverage basis: Standard Ethereum account model — public keys are revealed in transaction signatures and stored on-chain indefinitely.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Long-exposure public keys on Ethereum L1 enable offline quantum key recovery for all transacted WLD EOAs

Assurance: Long-exposure (at-rest) attack surface is well-documented in Google Quantum AI whitepaper and broader cryptographic literature. Any EOA that has sent a transaction has an exposed public key.

No PQ address formats, no key-derivation changes, and no account-abstraction migration prompts exist for WLD holders. World Chain EOAs inherit the same exposure model.

• https://etherscan.io/token/0x163f8c2467924be0ae7b5347228cabf260318753
• https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf

Claim: World Chain sequencer and batch submitter use ECDSA keys for L2 block production and L1 batch submission.

Coverage basis: OP Stack architecture — sequencer signs batches submitted to Ethereum L1 bridge contracts.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: World Chain sequencer ECDSA keys are quantum-vulnerable — compromise could disrupt L2 operations, censor transactions, or submit fraudulent batches

Assurance: OP Stack documentation and World Chain repo confirm standard sequencer architecture. Optimism roadmap targets sequencer PQ upgrade but timeline is unspecified within the 2036 window.

Consensus authentication is applicable for World Chain as an L2. The sequencer is currently a single-entity model. Ethereum L1 validator BLS signatures are also quantum-vulnerable and affect L2 security inheritance.

• https://github.com/worldcoin/world-chain
• https://world.org/blog/announcements/introducing-world-chain
• https://www.optimism.io/blog/a-post%E2%80%91quantum-roadmap-for-the-superchain

Claim: World ID uses Semaphore protocol with Groth16 zkSNARKs on BN254 curve for identity commitments and nullifiers — all pairing-based and quantum-vulnerable.

Coverage basis: Semaphore V4 spec and Least Authority audit confirm Groth16/BN254 proving system. World ID protocol repo confirms circom circuits.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: Groth16 zkSNARKs on BN254 are quantum-vulnerable — a CRQC could forge identity proofs and nullifiers, breaking World ID Sybil resistance

Assurance: Least Authority audit (July 2023) is the primary evidence source for cryptographic design. BN254 curve provides only ~96-bit classical security per the audit (Issue B, unresolved). Audit explicitly flagged this. No PQ audit exists.

World ID 4.0 specs confirm continued use of Groth16/circom. The Semaphore V4 spec uses EdDSA (Baby Jubjub) for identity keys and Poseidon hash — all classical ECC/zk-SNARK assumptions. Migration to STARKs or other PQ ZK systems has not been announced.

• https://leastauthority.com/wp-content/uploads/2025/03/Least-Authority-Worldcoin-Cryptography-Second-Review-Updated-Final-Audit-Report.pdf
• https://github.com/worldcoin/world-id-protocol
• https://github.com/zkspecs/zkspecs/blob/main/specs/3/README.md
• https://world.org/blog/world/intro-zero-knowledge-proofs-semaphore-application-world-id

Claim: World ID ZK proofs and nullifier construction rely on pairing-based cryptography (Groth16/BN254). AMPC provides quantum-secure MPC for off-chain iris code privacy but does not protect on-chain ZK proof integrity.

Coverage basis: World ID protocol (on-chain ZK proofs), AMPC system (off-chain biometric MPC).

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: On-chain ZK proof forgery would bypass World ID's proof-of-personhood — AMPC does not protect the on-chain verification layer

Assurance: AMPC (launched May 2026) provides quantum-secure MPC for biometric data privacy — this is a genuine production protection but operates off-chain. The MPC audit (Apr 2024) covered an earlier version and did not assess quantum security. On-chain World ID proofs remain Groth16/BN254 and are quantum-vulnerable.

This is the most architecturally significant finding: AMPC protects the biometric template but the ZK proof that asserts 'this person is a unique human' can be forged by a quantum attacker, creating fake identities without iris scans. The two layers (off-chain biometric privacy and on-chain identity verification) have different quantum security postures.

• https://world.org/blog/engineering/introducing-ampc-another-leap-privacy-performance-world-id
• https://github.com/worldcoin/world-id-protocol
• https://leastauthority.com/wp-content/uploads/2024/05/Least-Authority-Worldcoin-MPC-Protocol-for-Uniqueness-Check-Final-Audit-Report.pdf

Claim: World Chain nodes use standard OP Stack/Ethereum networking with classical TLS and node identity keys.

Coverage basis: OP Stack architecture — standard Ethereum devp2p/libp2p networking with secp256k1 node keys.

Implementation score: 0 · Evidence confidence: Medium

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: Not satisfied by design because asset-spending authorization is not PQ-signed. Node identity compromise is lower severity than spend-auth compromise but remains a quantum-vulnerable surface.

P2P is not satisfied by design per QRI Section 7 because spend authorization is not PQ-protected (node identity keys could facilitate eclipse or partition attacks).

• https://github.com/worldcoin/world-chain
• https://www.optimism.io/op-stack

Claim: No PQ wallet, custody, or hardware-signer workflows exist for WLD. Standard Ethereum wallets (MetaMask, Ledger, etc.) are ECDSA-only.

Coverage basis: Standard Ethereum wallet ecosystem — no Worldcoin-specific wallet infrastructure with PQ capabilities.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: No PQ wallet support is standard across the Ethereum ecosystem. World App (Worldcoin's wallet) has not announced PQ features.

World App uses Safe smart-contract accounts for gasless transactions — this account-abstraction architecture could theoretically support future PQ signature schemes, but no such implementation exists.

Claim: Worldcoin has public cryptographic documentation (Least Authority audits, open-source code, protocol specs) but has published no quantum-specific cryptographic inventory or threat model for blockchain layers. AMPC announcement acknowledges quantum risk for biometric data only.

Coverage basis: Least Authority audits enumerate classical cryptographic components but without quantum threat modeling. AMPC announcement addresses biometric layer only. No quantum-focused assessment of blockchain layers exists.

Implementation score: 0.5 · Evidence confidence: Medium

Issue classification: quantum-critical uncertainty · Score treatment: score-reducing

Quantum blocker: No Worldcoin-published quantum cryptographic inventory or threat model for blockchain layers — project quantum posture cannot be independently assessed against a published baseline

Assurance: The Least Authority audits (2023, 2024) provide a solid classical cryptographic inventory but are stale for current production scope (World ID 4.0, World Chain launch). The AMPC announcement (2025-2026) acknowledges quantum risk for biometric data but does not constitute a threat model for the blockchain layers.

Implementation Score 0.50 reflects partial credit: cryptographic documentation exists (audits, code, specs) and AMPC represents a partial threat acknowledgment for biometrics, but no quantum threat model covering blockchain-layer attack assumptions, affected assets, and affected layers has been published.

• https://leastauthority.com/wp-content/uploads/2025/03/Least-Authority-Worldcoin-Cryptography-Second-Review-Updated-Final-Audit-Report.pdf
• https://leastauthority.com/wp-content/uploads/2023/07/Worldcoin_Protocol_Cryptography_Final_Audit_Report.pdf
• https://world.org/blog/engineering/introducing-ampc-another-leap-privacy-performance-world-id
• https://github.com/worldcoin/world-id-protocol

Claim: Code repositories, protocol specifications, on-chain contracts, and independent audits are publicly available but are not organized as a quantum-specific evidence record.

Coverage basis: Public GitHub repos (worldcoin/world-id-protocol, worldcoin/world-chain), Etherscan contracts, Least Authority audit reports, World.org documentation.

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: Evidence exists and is publicly accessible but has not been compiled into a quantum-focused assessment. The Least Authority audit is the closest artifact to a cryptographic evidence record but is limited to classical scope. The World ID protocol repo includes an audits/ folder suggesting ongoing review practices.

Implementation Score 0.25 reflects that evidence artifacts exist (code, specs, audits) but no quantum-specific evidence record has been published. Score treatment is note-only because the absence of a compiled evidence record does not independently create a quantum attack path.

• https://github.com/worldcoin/world-id-protocol
• https://github.com/worldcoin/world-chain
• https://etherscan.io/token/0x163f8c2467924be0ae7b5347228cabf260318753
• https://leastauthority.com/wp-content/uploads/2025/03/Least-Authority-Worldcoin-Cryptography-Second-Review-Updated-Final-Audit-Report.pdf

Claim: 0% of WLD value-at-risk is protected from quantum key-recovery attacks. All circulating WLD is held in ECDSA-secured accounts on Ethereum L1 or World Chain L2.

Coverage basis: WLD is a standard ERC-20 token. All holder accounts use ECDSA/secp256k1. No PQ-protected storage or migration exists.

Implementation score: 0.05 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Quantum blocker: 0% value-at-risk protection — all WLD holdings are quantum-vulnerable with no migration path

Assurance: Coverage <25% maps to Implementation Score 0.05 per QRI 9.3.1 table. WLD market cap and circulating supply are publicly verifiable on-chain. No PQ-protected value pools exist.

Per QRI 9.3.1: <25% coverage → score 1/20 = 0.05 Implementation Score. The 0.05 reflects the theoretical minimum credit for a project with no protected value but where value-at-risk is at least observable on-chain.

• https://etherscan.io/token/0x163f8c2467924be0ae7b5347228cabf260318753
• https://whitepaper.world.org/designing-for-scale/2026-03-24

Claim: No critical wallets (treasuries, exchanges, custodians, bridges, foundations, major protocols) have migrated to PQ protection for WLD.

Coverage basis: No evidence of any WLD custodian, exchange, or protocol treasury implementing PQ signature schemes or migration paths.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: No exchange or custodian has announced PQ migration for WLD. This is standard across the Ethereum ecosystem — no major exchange supports PQ signatures for ERC-20 tokens.

Worldcoin Foundation, Tools for Humanity, and major WLD holders (exchanges, market makers) all use standard ECDSA custody. No PQ-native custody path exists.

Claim: No legacy vulnerable WLD pools have been identified, measured, deprecated, or frozen by Worldcoin. All WLD accounts remain in their original ECDSA-vulnerable state.

Coverage basis: Standard ERC-20 token — all holder accounts are ECDSA-based with no deprecation mechanism.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: No freeze/deprecation mechanism exists in the WLD ERC-20 contract. The token contract at 0x163f... is a standard implementation with no quantum-aware features.

Dormant WLD holdings with exposed public keys (transacted EOAs) represent a permanent at-risk value pool. No policy mechanism exists to address these.

• https://etherscan.io/token/0x163f8c2467924be0ae7b5347228cabf260318753

Claim: Optimism's January 2026 PQ roadmap provides a 10-year ECDSA deprecation timeline (by 2036) for the Superchain, which includes World Chain. No Worldcoin-specific roadmap exists.

Coverage basis: Optimism official blog post (Jan 14, 2026) — OP Labs commitment to deprecate ECDSA EOAs by 2036 via EIP-7702 account abstraction.

Implementation score: 0.25 · Evidence confidence: Medium

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: The Optimism roadmap is a formal, publicly committed plan with a 10-year timeline and specific technical path (EIP-7702 smart accounts, hardfork coordination). However, it is Optimism's roadmap, not Worldcoin's, and Worldcoin has not published its own adoption plan, activation criteria, or World Chain-specific sequencing. The roadmap does not address World ID ZK proof migration.

Implementation Score 0.25 reflects that a credible ecosystem-level roadmap exists (meeting 'public design, proposal' criteria) but no Worldcoin-specific roadmap has been published. The 2036 timeline means current production users have no PQ protection for at least a decade.

• https://www.optimism.io/blog/a-post%E2%80%91quantum-roadmap-for-the-superchain
• https://incrypted.com/en/optimism-network-announced-a-10-year-transition-to-post-quantum-cryptography/

Claim: No PQ account creation, wallet tooling, migration prompts, or user education exists for WLD or World Chain.

Coverage basis: No evidence of any PQ-accessible user paths in World App, World Chain, or WLD ecosystem.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: Zero PQ accessibility is confirmed by absence of any documentation, tooling, or feature announcements. World App focuses on gasless transactions via Safe accounts but has no PQ signature support.

Account abstraction infrastructure (Safe contracts, EIP-7702) exists on OP Stack and could theoretically support future PQ migration, but no user-facing PQ path is available today.

Claim: No migration enforcement mechanisms exist. ECDSA transactions are the only available path and there are no restrictions, deprecation warnings, or unsafe-path blocking.

Coverage basis: Standard Ethereum/OP Stack transaction model — no protocol-level restrictions on ECDSA signing.

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: The Optimism roadmap proposes enforcement by 2036 (deprecation of raw ECDSA EOA transactions) but this is a future plan, not current production enforcement.

Users can still create new quantum-vulnerable accounts by default on both Ethereum L1 and World Chain. There is no warning, deprecation notice, or restriction on ECDSA usage.

Claim: No quantum-specific emergency disclosure, incident-response playbook, or governance process has been published by Worldcoin.

Coverage basis: No evidence of quantum-specific incident response documentation.

Implementation score: 0 · Evidence confidence: Medium

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: Absence of quantum-specific incident response is an assurance gap but does not independently create a quantum attack path. Per QRI Section 7.4, this is a note-only caveat when the quantum-vulnerable production path is already identified through other evidence.

Worldcoin has a bug bounty program and general security contacts, but no quantum-specific playbook. The Optimism ecosystem may provide some coordination infrastructure but no Worldcoin-specific quantum emergency process exists.

Claim: No PQC or hybrid-PQC algorithms are used in any production Worldcoin blockchain layer.

Coverage basis: All production cryptography is classical ECC/ZK (ECDSA, Groth16/BN254, Poseidon, EdDSA/Baby Jubjub).

Implementation score: 0 · Evidence confidence: High

Issue classification: quantum-critical vulnerability · Score treatment: score-reducing

Assurance: AMPC uses quantum-secure MPC techniques but these are off-chain and not NIST-standardized PQC algorithms for blockchain use. The blockchain layers use no PQC algorithms at all.

This subfactor receives 0.00 because no PQC algorithms are deployed in any production blockchain layer. AMPC's quantum-secure MPC is architecturally separate from the blockchain cryptographic stack.

• https://leastauthority.com/wp-content/uploads/2025/03/Least-Authority-Worldcoin-Cryptography-Second-Review-Updated-Final-Audit-Report.pdf
• https://github.com/worldcoin/world-id-protocol

Claim: Least Authority audits cover classical cryptographic components but no audit addresses quantum security of any Worldcoin blockchain layer.

Coverage basis: Three Least Authority audits (2023, 2024x2) cover Semaphore, signup sequencer, and MPC uniqueness check — all classical scope.

Implementation score: 0 · Evidence confidence: Medium

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: Audits are scope-mismatched for quantum security — they evaluate classical implementation correctness, not quantum resistance. This is a note-only treatment per QRI Section 7.4 because the quantum vulnerability is independently verifiable from algorithm choice and protocol design. The absence of a PQ audit does not create or preserve a quantum attack path beyond what is already confirmed.

Implementation Score is 0.00 because there is no PQ implementation to audit. The existing audits are valuable for classical assurance but irrelevant to quantum-readiness scoring.

• https://leastauthority.com/wp-content/uploads/2025/03/Least-Authority-Worldcoin-Cryptography-Second-Review-Updated-Final-Audit-Report.pdf
• https://leastauthority.com/wp-content/uploads/2023/07/Worldcoin_Protocol_Cryptography_Final_Audit_Report.pdf
• https://leastauthority.com/wp-content/uploads/2024/05/Least-Authority-Worldcoin-MPC-Protocol-for-Uniqueness-Check-Final-Audit-Report.pdf

Claim: Worldcoin's classical cryptographic components are open-source (MIT License) and publicly buildable from GitHub repositories.

Coverage basis: worldcoin/world-id-protocol (Rust, Solidity, Circom), worldcoin/world-chain (Rust).

Implementation score: 0 · Evidence confidence: High

Issue classification: none · Score treatment: not applicable

Assurance: Code is open-source and well-structured. However, this subfactor is scored 0.00 because it assesses the PQ implementation — no PQ implementation exists to evaluate for reproducibility.

The classical implementation is open-source and reproducible, which is positive for general security but not quantum-relevant. If/when PQ code is developed, this infrastructure would support reproducible evaluation.

• https://github.com/worldcoin/world-id-protocol
• https://github.com/worldcoin/world-chain

Claim: No PQ parameter agility or upgrade path has been documented by Worldcoin. The Optimism roadmap provides an ecosystem-level upgrade path but no Worldcoin-specific cryptographic agility plan.

Coverage basis: Optimism roadmap (Jan 2026) mentions 'pluggable post-quantum schemes' but no specific algorithm choices or Worldcoin adoption plan.

Implementation score: 0 · Evidence confidence: Low

Issue classification: assurance-only caveat · Score treatment: note-only

Assurance: The OP Stack's modular design and EIP-7702 account abstraction provide architectural agility, but Worldcoin has not documented its own parameter/crypto upgrade path. This is note-only because the absence of documented agility does not independently create a quantum attack path.

Implementation Score 0.00 because no Worldcoin-specific PQ upgrade path documentation exists. The Optimism roadmap provides ecosystem-level direction but lacks Worldcoin-specific algorithm selection, migration sequencing, or activation criteria.

• https://www.optimism.io/blog/a-post%E2%80%91quantum-roadmap-for-the-superchain

Claim: No PQ stateful signatures (XMSS/LMS) are in use, so state-management risks are not applicable. No PQ side-channel analysis has been performed for Worldcoin.

Coverage basis: No PQ signature deployment exists to assess for stateful-signature safety or side-channel risks.

Implementation score: 0 · Evidence confidence: Not assessed

Issue classification: none · Score treatment: not applicable

Assurance: No PQ implementation exists, so stateful-signature safety considerations are premature. Scored 0.00 because there is no PQ implementation to assess.

If Worldcoin adopts XMSS/LMS or other stateful PQ signatures in the future, state-management discipline (anti-reuse, recovery from state loss) will become a critical implementation concern. Currently not applicable.

Claim: No PQ performance or resource-impact analysis has been published for Worldcoin or World Chain.

Coverage basis: No PQ deployment to analyze.

Implementation score: 0 · Evidence confidence: Not assessed

Issue classification: none · Score treatment: not applicable

Assurance: No PQ deployment exists, so performance analysis is premature. The OP Stack ecosystem has acknowledged that PQ signatures (e.g., Dilithium) increase transaction sizes and gas costs, but no Worldcoin-specific analysis exists.

Scored 0.00 because there is no PQ implementation to benchmark. When PQ migration planning becomes concrete, gas/fee impact, block validation timing, and archival growth will be important considerations for World Chain's high-throughput design goals.