What is a crypto supply chain attack?

A crypto supply chain attack occurs when attackers compromise trusted dependencies, infrastructure, or third-party services to inject malicious code into Web3 applications.

Are Web3 applications vulnerable to supply chain attacks?

Yes. Web3 applications rely on external dependencies such as npm packages, APIs, and smart contract integrations, which can be compromised to introduce malicious behavior.

How do supply chain attacks impact crypto users?

They can manipulate transactions, steal funds, inject malicious wallet interactions, or compromise infrastructure used by dApps and protocols.

How can Web3 supply chain attacks be prevented?

They can be mitigated through transaction simulation, dependency monitoring, policy enforcement, and real-time risk analysis before transactions are executed.

Post-Quantum Cryptography in Web3: Why Your Blockchain Security May Already Be Obsolete

Post-quantum cryptography is no longer a theoretical concern for future security teams. Quantum computing advancements are placing today's cryptographic standards — ECDSA, RSA, ECC — under genuine long-term threat. For Web3 companies managing billions in digital assets, this introduces a new class of existential risk. And the most dangerous attacks may already be in progress — harvesting encrypted data now to decrypt it later, waiting for quantum capability to catch up.

ECDSA & ECC — The cryptographic standards securing most blockchain wallets are vulnerable to quantum attack via Shor's Algorithm
‍"Harvest Now, Decrypt Later" — Attackers collecting encrypted data today to decrypt once quantum capability matures
‍Runtime threats — Smart contract exploits, insider risk, and protocol vulnerabilities exist regardless of cryptographic strength

Book a Demo

What Is Post-Quantum Cryptography?

Post-quantum cryptography refers to cryptographic algorithms specifically designed to be secure against attacks from quantum computers. Current public-key cryptographic standards — including RSA, ECDSA, and elliptic curve cryptography — rely on mathematical problems that classical computers cannot solve efficiently but that quantum computers, using algorithms like Shor's, can solve in polynomial time.

What is Shor's Algorithm and why does it matter for blockchain?
Shor's Algorithm is a quantum computing algorithm that can efficiently solve the integer factorization and discrete logarithm problems that underpin RSA and elliptic curve cryptography. A sufficiently powerful quantum computer running Shor's Algorithm could derive a private key from a publicly exposed public key — which is precisely what blockchain wallet addresses do after a transaction. Every wallet that has ever sent a transaction has exposed its public key on-chain.

What is Grover's Algorithm and how does it affect crypto security? Grover's Algorithm provides a quadratic speedup for searching unsorted databases — effectively halving the bit security of symmetric encryption. AES-128, for example, would provide only the equivalent of 64-bit security against a quantum adversary. This is less immediately catastrophic than Shor's impact on public-key cryptography, but still requires a response as quantum capability scales.

What is the difference between post-quantum cryptography and quantum cryptography?Post-quantum cryptography uses classical mathematical structures that are believed to be resistant to quantum attacks — no quantum hardware is required to implement or use it. Quantum cryptography, by contrast, uses quantum mechanical principles (such as quantum key distribution) and requires quantum hardware to operate. PQC is the near-term practical response to the quantum threat. Quantum cryptography is a longer-term research direction.

Why This Matters for Web3 Right Now

Most blockchain systems — including Ethereum, Bitcoin, and the vast majority of DeFi protocols — rely on elliptic curve cryptography for wallet security and transaction signing. This creates specific and concrete exposure as quantum computing capability develops.

The public key exposure problem

Every wallet address on a public blockchain is derived from a public key. Once a wallet has sent a transaction, its public key is permanently exposed on-chain. A quantum attacker with sufficient capability could derive the private key from that public key, execute unauthorized withdrawals, and drain the wallet without any other vulnerability being required. The attack surface is every wallet that has ever transacted on a public blockchain.

The Harvest Now, Decrypt Later risk

The quantum threat is not purely future-dated. Adversaries with long-term strategic interests — nation-state actors, well-resourced criminal organizations — can collect and store encrypted data, transaction records, and public keys today, at relatively low cost. Once quantum computing capability matures to the threshold required to break current cryptographic standards, that stored data becomes decryptable retroactively. Sensitive transactions conducted today under current cryptographic standards may be exposed to future quantum decryption.

NIST PQC standardization

The U.S. National Institute of Standards and Technology has been running a multi-year process to evaluate and standardize post-quantum cryptographic algorithms. This process — and the urgency it signals — reflects the assessment of national security agencies that the quantum threat timeline is real enough to require proactive standardization now, not after quantum capability matures.

The Gap — What PQC Does Not Solve

Request a demo

Post-quantum cryptography addresses a specific and important problem: protecting cryptographic keys and signatures against quantum computational attacks. It does not address the broader attack surface that Web3 protocols and financial institutions face today.

Smart contract exploits occur through logic vulnerabilities in contract code — reentrancy, access control failures, oracle manipulation. These exploits are entirely independent of the cryptographic strength of the underlying signature scheme. A PQC-secured wallet signing a transaction that calls a vulnerable contract is still exploited.

Behavioral anomalies and insider threats are detectable through transaction pattern analysis — unusual approval scopes, atypical counterparties, transaction flows inconsistent with historical baselines. PQC provides no visibility into whether a cryptographically valid transaction is economically or behaviorally anomalous.

Wallet compromise through non-cryptographic vectors — phishing, malicious dApps, social engineering, supply chain attacks — remains fully effective regardless of the underlying signature algorithm. A user tricked into signing a malicious transaction with a PQC key has still signed a malicious transaction.

Protocol vulnerabilities in DeFi systems — flash loan attacks, governance manipulation, liquidity exploitation — are economic and logical in nature. They exploit the rules of the protocol, not the cryptographic primitives securing it.

The strategic insight most security teams miss: the industry asks "how do we protect against quantum attacks?" The better question is "how do we secure transactions across both present and future threat models?" These require different and complementary tools.

The Winning Strategy — PQC Plus Runtime Protection

Post-quantum cryptography and real-time transaction intelligence are not alternatives — they address different layers of the threat stack and are most effective in combination.

Security layer

Purpose

Threat category covered

Post-quantum cryptography

Future-proof encryption and signature schemes

Quantum decryption of private keys and historical transactions

Real-time transaction intelligence

Pre-execution behavioral analysis and enforcement

Smart contract exploits, behavioral anomalies, wallet drainers, insider threats

Audit-ready logging

Evidence of effectiveness and incident records

Regulatory compliance, post-incident analysis

A protocol that implements PQC but lacks runtime transaction monitoring is protected against a threat that does not yet exist at scale — while remaining exposed to the exploits, drainers, and behavioral attacks that are causing losses today. A protocol with strong runtime protection but legacy cryptography is protected from today's threats while accumulating cryptographic exposure for the future.
The complete security stack addresses both.

Action Plan for Web3 Security Leaders

Step 1: Audit your cryptographic exposure

Identify all wallets that have previously sent transactions and therefore have exposed public keys on-chain. Evaluate which wallets hold high-value assets and face the most material quantum exposure. Assess the long-term sensitivity of transaction data that has been conducted under current cryptographic standards — data that may be subject to Harvest Now, Decrypt Later collection.

Step 2: Monitor NIST PQC standardization and plan migration

Track the NIST post-quantum cryptography standardization process and the algorithms it is certifying. Begin planning for hybrid cryptographic models — transitional architectures that maintain compatibility with current systems while introducing PQC-resistant signature schemes. Identify the dependencies in your stack (wallet software, signing infrastructure, smart contract interfaces) that will require updates during migration.

Step 3: Deploy runtime transaction protection now

PQC migration is a medium-to-long-term infrastructure project. Runtime transaction protection addresses the attack surface that exists today. Deploy pre-transaction simulation to evaluate transaction outcomes before execution. Implement behavioral anomaly detection to identify deviations from established baselines. Establish policy-based enforcement to hold or block anomalous transactions before they reach the network. These controls operate independently of the underlying cryptographic scheme and remain effective regardless of where PQC migration stands.

Step 4: Implement continuous monitoring

Establish continuous monitoring of wallet activity, approval scopes, and counterparty risk across all operational addresses. Dormant wallets that suddenly become active, approval patterns that change without corresponding operational changes, and transaction flows inconsistent with historical behavior are all detectable signals that precede many common attack patterns — including reconnaissance behavior that may precede a coordinated exploit.

Step 5: Build audit-ready records

Both regulatory requirements and post-incident analysis require verifiable records of security decisions and risk evaluations. Ensure that every transaction simulation, monitoring alert, and policy enforcement decision is logged with full context — not just that controls exist, but that they operated and produced documented outcomes.

How Web3Firewall Addresses the Runtime Layer

While PQC protects against future cryptographic threats, Web3Firewall addresses the attack surface that exists today — and that will continue to exist regardless of what happens to the underlying cryptographic standards.

Pre-broadcast transaction simulation

Every transaction is simulated before it reaches the network, revealing the actual outcome — asset movements, approval grants, contract state changes — independently of the source that constructed it or the cryptographic scheme that signed it. Anomalous or malicious transactions are detectable at the simulation layer even when they carry cryptographically valid signatures.

AI-powered behavioral anomaly detection

Transaction patterns, counterparty relationships, value flows, and approval scopes are analyzed against established behavioral baselines. Deviations — including the reconnaissance and probing behavior that often precedes a coordinated exploit — are surfaced as risk signals before they result in confirmed losses.

Real-time risk scoring

Every transaction receives a risk assessment based on simulation output, behavioral analysis, and counterparty risk intelligence — before execution. High-risk transactions are held, blocked, or escalated according to customer-defined policy, within configured workflows and integrations.

Wallet monitoring

Active wallets are monitored continuously for unusual activity patterns. Dormant wallets that see unexpected activity — a particularly relevant signal in the context of long-term adversarial reconnaissance — are flagged automatically.

Audit-ready records

Every simulation run, risk signal, monitoring alert, and policy decision is logged with full execution context, producing the evidentiary records that demonstrate security effectiveness to regulators, governance bodies, and post-incident reviewers.

Who Needs to Act Now

Request a demo

Exchanges and custodians

Managing customer funds at scale creates both present-day behavioral attack risk and long-term cryptographic exposure. Both layers require active investment. Customer fund losses — whether from today's exploits or future quantum decryption — carry regulatory, reputational, and legal consequences.

DeFi protocols

Protocol treasuries, operational wallets, and the smart contract interfaces that users interact with face exposure across both layers. Runtime protection addresses the exploits happening today. PQC planning addresses the cryptographic exposure accumulating with every on-chain transaction.

Institutional investors in digital assets

Long-term holdings in wallets that have transacted face quantum exposure that grows as quantum computing capability develops. Harvest Now, Decrypt Later risk is particularly relevant for institutional positions that are intended to be held for years.

Compliance and risk teams

The convergence of present-day security requirements and emerging quantum risk creates a complex compliance environment. Pre-transaction controls, behavioral monitoring, and audit-ready logging address the immediate regulatory direction. PQC planning addresses the longer-term cryptographic standard evolution that regulators will eventually require.

Developers building Web3 infrastructure

Cryptographic choices made during development determine future migration complexity. Building with PQC awareness now reduces the upgrade burden later. Integrating runtime security controls at the infrastructure level provides protection across all applications built on top.

Frequently Asked Questions

What is post-quantum cryptography?

Post-quantum cryptography refers to cryptographic algorithms designed to remain secure against attacks from quantum computers. Current public-key cryptographic standards — RSA, ECDSA, and elliptic curve cryptography — can be broken by a sufficiently powerful quantum computer running Shor's Algorithm. Post-quantum cryptographic algorithms are built on mathematical problems that are believed to be resistant to quantum computational attacks.

How does quantum computing threaten blockchain security?

Most blockchain wallets use elliptic curve cryptography. Once a wallet sends a transaction, its public key is permanently exposed on-chain. A quantum computer with sufficient capability could use Shor's Algorithm to derive the private key from that public key, enabling unauthorized fund withdrawals without any other vulnerability being required. Every wallet that has ever transacted on a public blockchain has exposed its public key.

What is a Harvest Now, Decrypt Later attack?

A Harvest Now, Decrypt Later attack involves collecting and storing encrypted data, transaction records, or public keys today — when quantum computing capability is insufficient to break current cryptographic standards — with the intention of decrypting that stored data once quantum capability matures. This means the quantum threat is not purely future-dated: sensitive information secured under current standards may already be targeted for future decryption.

Is post-quantum cryptography available now?

Yes. NIST has been running a standardization process for post-quantum cryptographic algorithms and has certified several for use. PQC algorithms can be implemented without quantum hardware — they use classical mathematical structures believed to be resistant to quantum attack. Migration from current standards to PQC standards requires infrastructure planning but is technically feasible today.

Does post-quantum cryptography protect against smart contract exploits?

No. Post-quantum cryptography protects against cryptographic attacks — specifically, the derivation of private keys from exposed public keys by quantum computers. It does not protect against smart contract logic vulnerabilities, behavioral anomalies, wallet drainers, insider threats, or supply chain attacks. These require runtime transaction monitoring and behavioral analysis operating at the execution layer.

What should Web3 security teams do now to prepare for quantum threats?

Audit cryptographic exposure by identifying wallets with exposed public keys. Monitor NIST PQC standardization and begin planning for hybrid cryptographic migration. Deploy runtime transaction protection — pre-transaction simulation, behavioral anomaly detection, and policy-based enforcement — to address the attack surface that exists today, independently of where PQC migration stands. Implement continuous wallet monitoring and build audit-ready records of security decisions and outcomes.