DEV Community

I scanned 200 blockchain npm packages for quantum-vulnerable cryptography. Here's what I found.

The problem nobody in Web3 is talking about

Shor's algorithm - running on a large enough quantum computer - breaks RSA and elliptic curve cryptography (ECDSA, ECDH, secp256k1) completely. Not "weakens." Breaks. As in: private keys become derivable from public keys.

Every Ethereum wallet, every Bitcoin address, every smart contract signature scheme in production today uses ECDSA on secp256k1. That's the curve. That's the algorithm. That's the exposure.

NIST already saw this coming. In 2024 they standardized the post-quantum replacements:

  • CRYSTALS-Kyber - key encapsulation
  • CRYSTALS-Dilithium - signatures
  • SPHINCS+ - hash-based signatures

But almost no npm packages have migrated. And almost no developer tools tell you which of your dependencies are at risk.

What I built

quantum-audit - a CLI tool that scans your project's dependency tree and source code for quantum-vulnerable cryptography, then gives you a 0โ€“100 readiness score.

npx quantum-audit .

How it works

Two scanning layers:

Layer 1 - Dependency scan
Checks your package.json against a curated database of 20+ crypto libraries mapped to their underlying algorithms. ethers, web3, elliptic, secp256k1, node-rsa, jsrsasign - all flagged with their actual risk level and weight.

Layer 2 - AST source scan
Uses Babel to walk your JavaScript/TypeScript source files and detect direct node:crypto calls that dependency scanning alone would miss:

const crypto = require('crypto');
crypto.createSign('SHA256').sign(privateKey, 'hex');

Scoring

Grade Score Meaning
A 90โ€“100 Quantum ready
B 70โ€“89 Low exposure
C 40โ€“69 Moderate exposure
D 15โ€“39 High exposure
F 0โ€“14 Critical exposure

CI integration: exits non-zero on critical findings so you can gate your pipeline.

What I found scanning blockchain packages

Out of the top blockchain/Web3 npm packages:

  • ethers - CRITICAL (ECDSA/secp256k1 signing)
  • web3 - CRITICAL (ECDSA/secp256k1 signing)
  • bitcoinjs-lib - CRITICAL (ECDSA/secp256k1)
  • elliptic - CRITICAL (the underlying curve library everything else uses)
  • ethereumjs-util - CRITICAL (secp256k1 key operations)

Not a single one of the top 10 Ethereum npm packages has a post-quantum migration path documented.

"Quantum computers aren't a threat yet"

True - today. IBM's current largest quantum processor has ~1000 qubits. Breaking 256-bit elliptic curve keys requires an estimated 2,000โ€“4,000 logical (error-corrected) qubits, which translates to millions of physical qubits with current error rates.

But:

  • "Harvest now, decrypt later" attacks are already happening - adversaries are collecting encrypted traffic today to decrypt when quantum computers are ready
  • Migration takes years - the SSL/TLS ecosystem took over a decade to move from SHA-1 to SHA-256
  • NIST already standardized the replacements - there's no reason to wait

The time to audit is now, not when the threat is imminent.

Install and use

What's next

  • Solidity contract scanning (flag on-chain ECDSA-only signature schemes)
  • Per-finding migration guidance (suggest the Dilithium equivalent)
  • Integration with Chain Audit - a broader blockchain dependency risk intelligence platform

If you're building anything on Web3, run npx quantum-audit . on your project right now and drop your score in the comments. Curious what the distribution looks like across the community.

Tags: #javascript #security #blockchain #ethereum #webdev

Comments

No comments yet. Start the discussion.