DEV Community

takundanashebmuchena-pixel
takundanashebmuchena-pixel

Posted on

I scanned 200 blockchain npm packages for quantum-vulnerable cryptography. Here's what I found.

I scanned 200 blockchain npm packages for quantum-vulnerable cryptography. Here's what I found.
TL;DR: Most Ethereum/Web3 npm packages rely on ECDSA/secp256k1 — an algorithm that a sufficiently large quantum computer will break. I built a CLI tool to scan your project and score its quantum readiness.
The problem nobody in Web3 is talking about
Shor's algorithm — running on a large enough quantum computer — breaks RSA and elliptic curve cryptography (ECDSA, ECDH, secp256k1) completely.
Not "weakens." Breaks. As in: private keys become derivable from public keys.
Every Ethereum wallet, every Bitcoin address, every smart contract signature scheme in production today uses ECDSA on secp256k1. That's the curve. That's the algorithm. That's the exposure.
NIST already saw this coming. In 2024 they standardized the post-quantum replacements:
CRYSTALS-Kyber — key encapsulation
CRYSTALS-Dilithium — signatures
SPHINCS+ — hash-based signatures
But almost no npm packages have migrated. And almost no developer tools tell you which of your dependencies are at risk.
What I built
quantum-audit — a CLI tool that scans your project's dependency tree and source code for quantum-vulnerable cryptography, then gives you a 0–100 readiness score.
Bash
Output:
Code
How it works
Two scanning layers:
Layer 1 — Dependency scan
Checks your package.json against a curated database of 20+ crypto libraries mapped to their underlying algorithms. ethers, web3, elliptic, secp256k1, node-rsa, jsrsasign — all flagged with their actual risk level and weight.
Layer 2 — AST source scan
Uses Babel to walk your JavaScript/TypeScript source files and detect direct node:crypto calls that dependency scanning alone would miss:
Js
Scoring
Grade
Score
Meaning
A
90–100
Quantum ready
B
70–89
Low exposure
C
40–69
Moderate exposure
D
15–39
High exposure
F
0–14
Critical exposure
CI integration: exits non-zero on critical findings so you can gate your pipeline.
What I found scanning blockchain packages
Out of the top blockchain/Web3 npm packages:
ethers — CRITICAL (ECDSA/secp256k1 signing)
web3 — CRITICAL (ECDSA/secp256k1 signing)
bitcoinjs-lib — CRITICAL (ECDSA/secp256k1)
elliptic — CRITICAL (the underlying curve library everything else uses)
ethereumjs-util — CRITICAL (secp256k1 key operations)
Not a single one of the top 10 Ethereum npm packages has a post-quantum migration path documented.
"Quantum computers aren't a threat yet"
True — today. IBM's current largest quantum processor has ~1000 qubits. Breaking 256-bit elliptic curve keys requires an estimated 2,000–4,000 logical (error-corrected) qubits, which translates to millions of physical qubits with current error rates.
But:
"Harvest now, decrypt later" attacks are already happening — adversaries are collecting encrypted traffic today to decrypt when quantum computers are ready
Migration takes years — the SSL/TLS ecosystem took over a decade to move from SHA-1 to SHA-256
NIST already standardized the replacements — there's no reason to wait
The time to audit is now, not when the threat is imminent.
Install and use
Bash
GitHub: https://github.com/takundanashebmuchena-pixel/quantum-audit
npm: https://www.npmjs.com/package/quantum-audit
What's next
Solidity contract scanning (flag on-chain ECDSA-only signature schemes)
Per-finding migration guidance (suggest the Dilithium equivalent)
Integration with Chain Audit — a broader blockchain dependency risk intelligence platform
If you're building anything on Web3, run npx quantum-audit . on your project right now and drop your score in the comments. Curious what the distribution looks like across the community.
Tags: #javascript #security #blockchain #ethereum #webdev

Top comments (0)