QuantumScan — Substrate/Polkadot PQC Pattern Scanner (Level 1)

[gaiabio12-design]

QuantumScan is a live, open-source PQC scanner (MIT) already running in production at https://quantumscan.io — 223 scans completed since January 2026, zero external funding.

This Level 1 application funds the Substrate-specific pattern layer: BABE/GRANDPA key detection, pallet crypto scanning, XCM signing audit, ink! smart contract coverage, and Substrate workspace support.

The scanner is already built. This grant funds the last mile.

Budget: ,500 USD | Duration: 8 weeks | License: MIT

[gaiabio12-design]

I have read and hereby sign the Contributor License Agreement.

[gaiabio12-design]

Update: All 5 deliverables implemented before grant approval

Since submitting this PR, I implemented all 5 Substrate pattern groups as pre-grant work to demonstrate delivery capability. The implementation is already live in npx quantumscan@1.9.0.

What was built (2026-06-24)

19 new Substrate-specific PQC patterns across 5 groups:

• Group 1 — BABE/GRANDPA: substrate-babe-authority, substrate-grandpa-authority, substrate-session-keys, substrate-validator-keystore
• Group 2 — Pallet crypto: substrate-pallet-verify, substrate-pallet-crypto-primitive, substrate-sp-io-crypto, substrate-account-id
• Group 3 — XCM: substrate-xcm-origin, substrate-xcm-multiasset-sign, substrate-xcm-barrier
• Group 4 — ink!: ink-ecdsa-recover, ink-sr25519-verify, ink-hash-crypto, ink-account-id-sign
• Group 5 — Crates: substrate-schnorrkel, substrate-ed25519-dalek, substrate-x25519-dalek, substrate-libp2p-noise

79 unit tests passing (deliverable 0c, false positive rate: 0% on fixture set):

• Repo: https://github.com/quantumscan-io/quantumscan-web/blob/main/src/lib/ai/__tests__/substrate-patterns.test.ts

Live demo

$ npx quantumscan@1.9.0 ./my-parachain --substrate

QuantumScan v1.9.0  Substrate/Polkadot PQC Analysis
https://quantumscan.io
──────────────────────────────────────────────────────────
Workspace  Substrate/Polkadot detected
Pallets    1 found (pallets/staking/src)
ink!       1 contract(s) found
Crates     frame-support, frame-system, sp-core, sp-runtime, sp-io… +3
Patterns   19 Substrate-specific PQC patterns active

🟠 HIGH     16 findings
  pallets/staking/src/ink_contract.rs:18    ink! sr25519 Signature Verify
  pallets/staking/src/ink_contract.rs:24    ink! ECDSA Recovery (secp256k1)
  pallets/staking/src/lib.rs:9              Substrate Session Keys (multi-key)
  pallets/staking/src/lib.rs:16             BABE Authority Key (sr25519)
  pallets/staking/src/lib.rs:19             Substrate Pallet Signature Verify
  pallets/staking/src/lib.rs:24             Substrate Validator Keystore
  pallets/staking/src/lib.rs:28             keystore.sr25519_generate_new
  pallets/staking/src/lib.rs:31             XCM Signed Origin (sr25519/ed25519)
  pallets/staking/src/lib.rs:36             XCM Message with Account Auth
  pallets/staking/src/lib.rs:40             Substrate sp-io Crypto Host Function
  [+6 more]

📦 DEPENDENCIES  2 vulnerable package(s)
  Cargo.toml    ed25519-dalek = "2.0"    → ML-DSA via pqcrypto-dilithium
  Cargo.toml    x25519-dalek  = "2.0"    → ML-KEM via pqcrypto-kyber

Risk Score  100/100  Critical 🚨

The grant now funds what remains: Docker image (deliverable 0d), documentation (0b), and the Polkadot Forum article (0e). The pattern implementation and tests are done.

[gaiabio12-design]

Update 2: Tests (0c), Dockerfile (0d), and README docs (0b) now live

All remaining deliverables are now implemented in quantumscan-io/scanner-core.

Deliverable 0c — Testing (60 tests, zero extra dependencies)

git clone https://github.com/quantumscan-io/scanner-core
cd scanner-core
npm test

Output:

✔ 1. BABE/GRANDPA consensus key detection (14 tests)
✔ 2. Pallet cryptography — sp-runtime, sp-core, sp-io (12 tests)
✔ 3. XCM signing and cross-chain authentication (9 tests)
✔ 4. ink! smart contract cryptography (11 tests)
✔ 5. Substrate crate-level — schnorrkel, dalek, libp2p-noise (13 tests)
✔ 6. Registry completeness — all 19 pattern IDs present (1 test)

tests 60 | pass 60 | fail 0

Uses Node.js built-in node:test — no vitest, no jest, no extra npm install. Works on Node 18+.

Deliverable 0d — Docker

docker build -t quantumscan/scanner https://github.com/quantumscan-io/scanner-core.git
docker run --rm -v $(pwd):/target quantumscan/scanner /target --substrate

Dockerfile is in the repo root — single-stage Node 20 Alpine image, no runtime dependencies.

Deliverable 0b — Documentation

The --substrate flag is now documented in the README with:

• Pattern table (all 5 groups)
• Example scan output
• Migration paths per algorithm
• Docker usage
• Test command

---

Summary of all deliverables as of 2026-06-24:

#	Deliverable	Status
0a	License (MIT)	✅
0b	Documentation	✅ README --substrate section live
0c	Tests	✅ 60 tests, npm test, 0 failures
0d	Docker	✅ Dockerfile in repo root
0e	Article	Pending milestone approval
1	BABE/GRANDPA patterns	✅ 4 patterns in v1.9.0
2	Pallet crypto patterns	✅ 4 patterns in v1.9.0
3	XCM signing patterns	✅ 3 patterns in v1.9.0
4	ink! contract patterns	✅ 4 patterns in v1.9.0
5	--substrate workspace flag	✅ Live in v1.9.0