Scan Solidity contracts for quantum vulnerabilities
Quantum computers running Shor's algorithm will break secp256k1 and ECDSA — the cryptographic foundation of every EVM wallet, oracle signature, and multi-sig. Scan your contracts before deployment.
What QuantumScan detects in .sol files
address signer = ECDSA.recover(hash, sig);Direct secp256k1 signature verification. Broken by Shor's algorithm.
_hashTypedDataV4(structHash)Structured signing used in permits, votes, and meta-transactions. ECDSA underneath.
staticcall(gas(), 0x1, ptr, 0x80, ptr, 0x20)Low-level call to ecrecover precompile — common in gas-optimized contracts.
AggregatorV3Interface(feed).latestRoundData()Chainlink DON uses threshold ECDSA secp256k1 for price feed aggregation.
IERC20Permit(token).permit(owner, spender, value, deadline, v, r, s)Signature-based token approvals will break post-quantum — no PQC standard yet.
safe.execTransaction(..., signatures)Each signer key is a secp256k1 key pair. All N signers are quantum-vulnerable.
Vulnerable Solidity dependencies
@openzeppelin/contractsECDSA.sol, EIP712.sol, SignatureChecker.sol
@openzeppelin/contracts-upgradeableUpgradeable ECDSA/EIP712 contracts
@chainlink/contractsOracle interfaces — DON uses secp256k1 ECDSA
@safe-global/safe-contractsGnosis Safe N-of-M secp256k1 multi-sig
How to scan your contracts
- 1Run the CLI on your Foundry or Hardhat project:
- 2Review findings — every HIGH-severity pattern is quantum-vulnerable
- 3Add // quantumscan-ignore to suppress false positives
- 4Share your scan report with your auditor or DAO
$ npx quantumscan .Scan now — free, no account required
QuantumScan is open-source (MIT). No code leaves your machine when using the CLI.
Scan a GitHub repo →QuantumScan for DeFi is supported by the open-source security community. If your protocol uses this tool, consider funding the project via Open Collective or GitHub Sponsors.
Step-by-step migration path for every pattern: ecrecover → ERC-4337, permit() circuit breaker, Safe PQC module and more.