[Discussion] QuantumScan — Open-Source PQC Vulnerability Scanner for Substrate/Polkadot
TL;DR
We built and shipped an open-source CLI scanner (MIT) that detects post-quantum cryptography vulnerabilities specifically in Substrate/Polkadot codebases. The tool is live at quantumscan.io, fully tested, and documented. We’re requesting ~2,000 DOT (≈ $9,500 USD) from the Polkadot Treasury — retroactive recognition for work already delivered, plus one remaining deliverable: a technical article on this forum.
The Problem
Every asymmetric cryptographic algorithm securing the Polkadot ecosystem today is vulnerable to quantum computers — and the migration window is narrowing:
- BABE/GRANDPA consensus uses sr25519 (Schnorr/Ristretto255 — broken by Shor’s algorithm)
- Parachain pallets commonly implement ECDSA, ed25519, and RSA key operations
- XCM message verification relies on classical signature schemes
- ink! smart contracts expose
ecdsa_recover()as a host function - NIST FIPS 203/204/205 mandated migration by 2030; CNSA 2.0 (US national security) already in effect; EU DORA requires crypto-agility for financial infrastructure
Until now, there was no dedicated tool to audit Substrate codebases for these vulnerabilities.
What We Built
QuantumScan is an open-source, privacy-first PQC vulnerability scanner. The --substrate flag activates 19 Substrate-specific detection patterns across 5 categories:
| Category | What We Detect | PQC Migration Path |
|---|---|---|
| BABE/GRANDPA | sr25519::Pair, BabeId, GrandpaId, VRF outputs | ML-DSA (FIPS 204) |
| Pallet Crypto | sp_runtime::traits::Verify, MultiSignature, sp_core::ecdsa | ML-DSA |
| XCM Messages | OriginKind::SovereignAccount, xcm_executor signatures | ML-DSA |
| ink! Contracts | ink::env::ecdsa_recover, secp256k1 host calls | ML-DSA / SLH-DSA |
| Workspace Dependencies | schnorrkel, ed25519-dalek, x25519-dalek, libp2p-noise | ML-KEM + ML-DSA |
Try it on any parachain:
npx quantumscan ./my-parachain --substrate
- Live tool: https://quantumscan.io
- CLI (MIT): GitHub - quantumscan-io/scanner-core: Open-source post-quantum cryptography scanner core. Detects RSA/ECC vulnerable to quantum attacks. MIT licensed, reproducible builds. quantumscan.io · GitHub
- Current version: v1.9.1
Delivery Status
Everything technical is already shipped. This is not a speculative proposal.
| Deliverable | Status | Evidence |
|---|---|---|
| 19 Substrate-specific patterns |  Live |
scanner-core v1.9.1, --substrate flag |
| Documentation | Complete |
README with migration paths for each pattern group |
| Test suite (60+ tests) | Complete |
Node.js built-in runner, zero external dependencies |
| Docker image | Complete |
Dockerfile at repo root |
| Public scanner endpoint | Live |
quantumscan.io (free, 233+ scans completed) |
| Technical article (Forum) |  Pending |
Planned 2 weeks post-approval |
Context: We had an active Level 1 application at the W3F Grants Program (PR #2774, $9,500). The program was discontinued on 2026-06-25. All pending PRs were closed without technical rejection — the program itself was shut down. All deliverables except the article were completed before that date.
Requested Amount
~2,000 DOT (≈ $9,500 USD at time of writing)
Track: Small Spender
Beneficiary: 16LTGtVBbeq7SbCvTDJoeXzzE7Kp4ma5QvrU2iAggJxjy5pu
| Item | Amount |
|---|---|
| Retroactive: 19 patterns + 60 tests + Docker + docs + public endpoint | ~$7,500 |
| D0e: Technical article — PQC vulnerabilities in Substrate (Polkadot Forum) | ~$1,000 |
| 6-month maintenance: issues, pattern updates as Substrate evolves | ~$1,000 |
| Total | ~$9,500 |
Remaining Deliverable — Technical Article
Within 2 weeks of Treasury approval, we will publish on this forum:
“Post-Quantum Cryptography Vulnerabilities in Substrate: A Practical Scanner Analysis”
Contents:
- How sr25519, ed25519, and ECDSA are used across the Polkadot ecosystem today
- Why these are quantum-vulnerable (Shor’s algorithm timeline)
- NIST FIPS 203/204/205 migration paths for each pattern group
- Step-by-step guide: scanning your parachain with QuantumScan
- Aggregated findings from 233+ public repo scans
Team
Rodolfo Carvalho — Solo founder, Guatemala
- 6+ months building QuantumScan full-time (Jan–Jun 2026)
- Full-stack developer, 10+ years experience
- Live product with real usage: quantumscan.io
- Open source: GitHub - quantumscan-io/scanner-core: Open-source post-quantum cryptography scanner core. Detects RSA/ECC vulnerable to quantum attacks. MIT licensed, reproducible builds. quantumscan.io · GitHub
- Contact: rodolfo@quantumscan.io
Timeline
| Period | Activity |
|---|---|
| Now → +2 weeks | Forum discussion, community feedback |
| Week 3 | On-chain submission via Polkassembly |
| Week 4–5 (post-approval) | Publish technical article on this forum |
| Ongoing (6 months) | Maintain scanner, update patterns as Substrate evolves |
Why This Matters for Polkadot
The quantum threat to blockchain infrastructure is not hypothetical — it is a compliance and security timeline that every parachain team needs to plan for. QuantumScan gives every Polkadot developer a free, open-source tool to understand their cryptographic exposure today.
We are not asking you to fund an idea. We are asking you to recognize work already delivered to the ecosystem and ensure it is maintained.
Questions, feedback, and technical scrutiny welcome.
