Points of Focus

• Circle and Dan Boneh published a post-quantum roadmap for USDC across 30+ blockchains and the Arc blockchain.
• Non-upgradeable Ethereum contracts using “ecrecover” cannot be patched against quantum attacks, Circle flags.
• Rushing quantum migration poses more near-term risk than quantum computers themselves.

Circle published its Post-Quantum Security Roadmap in collaboration with Stanford University cryptographer Dan Boneh, setting out the most technically detailed quantum transition plan any stablecoin issuer has produced.

Quantum computing introduces long-term risk for digital infrastructure, from wallet signatures to validator integrity and more.

Circle’s post-quantum whitepaper explores Arc’s phased approach to resilience across:

→ USDC
→ Smart contracts
→ Validators
→ Infrastructure… pic.twitter.com/niZqxTnUvX

— Arc (@arc) May 29, 2026

The paper covers three dimensions of Circle’s exposure:

• USDC (USDC) smart contracts deployed across more than 30 blockchains
• The Arc blockchain that Circle is building from the ground up
• Circle’s internal infrastructure, including vendor dependencies, custody systems, and networking stacks.

Its central argument is methodical rather than alarming: The quantum threat to blockchain is real and structural, but the greater near-term danger is poorly executed migration rather than the quantum computers themselves.

The hardware gap

The paper provides the clearest public benchmark for how far quantum hardware is from breaking the cryptography that secures Bitcoin, Ethereum, and USDC. Running Shor’s algorithm on the 256-bit elliptic curve cryptography (ECC) used by both networks requires 1,200-1,450 logical fault-tolerant qubits.

Quantinuum’s Helios H2, the most capable publicly disclosed quantum system, supports 48 logical qubits. The gap between the current state of the art and a cryptographically relevant quantum computer is large and not closing rapidly.

That quantification is significant in the context of the urgency debate. Project Eleven’s Q-Day Prize, awarded in April 2026 for breaking a 15-bit ECC key on cloud hardware, demonstrated that small-scale ECC vulnerability is achievable. The Coinbase Advisory Board’s April 2026 position paper identified 6.9 million Bitcoin (BTC) addresses with exposed public keys.

Circle’s paper accepts those vulnerabilities but frames the response differently: “While the transition to post-quantum blockchains needs to happen, we recommend that blockchains take their time and only transition once all the components to support the transition are in place, without taking shortcuts that can harm security.”

The “ecrecover” vulnerability

The most technically significant contribution of the paper is its identification of a specific class of deployed Ethereum smart contracts that are structurally exposed to quantum attack and cannot be remediated without blockchain-level intervention.

The vulnerability centers on “ecrecover,” an Ethereum precompile that recovers the public key from an Elliptic Curve Digital Signature Algorithm (ECDSA) signature. Many deployed Ethereum contracts use “ecrecover” directly for onchain signature verification. Because “ecrecover” uses ECDSA, any contract relying on it becomes vulnerable the moment a quantum adversary can recover private keys from public keys. 

Unlike USDC, which uses an upgradeable proxy pattern that allows the underlying logic contract to be replaced, many decentralized finance protocols have deployed non-upgradeable contracts. Those contracts cannot be patched. Their “ecrecover” calls will remain permanently quantum-vulnerable regardless of what the Ethereum protocol does at the signature level.

Circle notes this as a vulnerability “that has not yet been widely discussed.” Addressing it requires solutions at the blockchain level, not the contract level: Ethereum would need to provide native post-quantum signature verification as a protocol primitive so that contracts can route around “ecrecover” through account abstraction. Until that infrastructure exists, non-upgradeable contracts using ecrecover represent a stranded vulnerability.

Circle’s three-phase approach

Circle’s quantum transition plan runs across three phases.

The readiness phase, which Circle is currently in, focuses on comprehensive vulnerability assessment across its development stack, infrastructure, and third-party vendors. The priority is protecting against harvest-now-decrypt-later attacks: adversaries collecting encrypted data today with the intent of decrypting it once quantum hardware matures.

Arc, Circle’s blockchain, will include a privacy layer using an encrypted trusted execution environment with quantum-resistant guarantees from day one. Circle has chosen SLH-DSA signature verification as Arc’s initial post-quantum signature scheme, allowing developers to begin migrating without waiting for full protocol redesigns.

The transition phase introduces dual-mode operation. USDC smart contracts will simultaneously support ECDSA-based interactions (for compatibility with the existing ecosystem) and post-quantum signatures (for users who have migrated). The paper explicitly designed this hybrid approach to avoid forcing a hard cutoff that could strand assets or break existing integrations.

The algorithm selections reflect a deliberate conservatism.

• For key encapsulation, Circle chose X25519MLKEM768 for TLS 1.3 and X-Wing for HPKE: hybrid constructions that combine a classical cipher with a quantum-resistant cipher, remaining secure as long as either component holds.
• For signatures, SLH-DSA-SHA2-128s at NIST Level 1 were selected over higher-security options specifically because they are based on hash functions rather than lattice assumptions, a more conservative foundation given that lattice-based schemes have not been studied as long.

The account recovery problem

The paper raises a regulatory question that has no current answer: If a quantum cutoff is required for vulnerable addresses, what happens to assets locked behind that cutoff?

Circle draws the relevant distinction between disabling unsafe cryptographic control and extinguishing an asset holder’s economic interest. For USDC specifically, a cutoff may be necessary to prevent quantum-enabled forgery of signatures from vulnerable wallets. But where technically feasible and legally supportable, assets frozen by that cutoff should remain recoverable if the holder can establish entitlement through reliable evidence.

Circle identifies a five- to 10-year window in which these frameworks need to be developed, requesting regulatory guidance on notice requirements, recovery evidence standards, abandoned property timelines, and how Anti-Money Laundering/countering the financing of terrorism, and custody frameworks apply to quantum-migrated assets. No regulator has addressed these questions.

The Federal Deposit Insurance Corporation’s (FDIC) Bank Secrecy Act (BSA) compliance rule and the Office of the Comptroller of the Currency’s national bank stablecoin charter framework do not contemplate quantum-forced address cutoffs. Circle’s paper is the first formal articulation of that regulatory gap.

The Arc architecture

Arc will support SLH-DSA signature verification at launch, giving developers immediate post-quantum signing capability. Its privacy layer uses an encrypted trusted execution environment with quantum-resistant guarantees from the first block. Arc will also use zkSTARKs rather than zkSNARKs: STARKs rely only on hash functions and remain quantum-secure, while SNARKs rely on elliptic-curve assumptions broken by Shor’s algorithm.

The final migration phase will require deprecating support for non-quantum-secure chains and accounts, on a timeline Circle describes as open-ended and dependent on ecosystem readiness, regulatory requirements, and evolving quantum risk assessments. 

Circle’s USDC is deployed across Ethereum, Solana, Base, Arbitrum, Polygon, and more than 25 additional networks. Each migration runs on its own schedule.