Stablecoin provider Circle went public on June 5, 2025. Circle’s share price rocketed from the $31 offer price to well over $100 within the first two days of trading. Markets are betting that stablecoins, and USDC in particular, will sit at the heart of tomorrow’s payment rails.
This isn’t as far-fetched as it may seem. Earlier this month Stripe announced a partnership with Shopify that will enable merchants to accept USDC stablecoin payments]. In 2024, the token settled more than $6 trillion on‑chain–a figure that tops Visa’s annual volume. Even central banks are experimenting with digital currencies modeled on the same idea.
Yet one hard question hangs over every dollar‑pegged coin: what happens when quantum computers can break the cryptography that guards the keys?
If you’ve read part one, you should be familiar with what stablecoins are, how they work, and what a smart contract is. The tl;dr is that stablecoins are implemented as smart contracts and that once deployed, the code and its storage are public and permanent. Assets held by a contract are therefore “self‑custodied” by the program itself, and access to any privileged function is enforced by checking ECDSA signatures supplied by authorized addresses. Ordinary contracts are immutable, so large projects such as USDC rely on an upgradeable‑proxy pattern to keep the option of changing logic while preserving balances.
A quick aside on the upgradeable-proxy pattern. You can think of it largely like DNS. Users can always go to https://www.projecteleven.com; this address won’t change. Under the hood, however, we can change our implementation code and servers to alter the website’s functionality–for example, by adding a new page. This allows us to make critical changes without impacting the user experience of having to learn a new address.
USDC’s public address on Ethereum, 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48, is only a proxy called FiatTokenProxy, you can view the contract here. The proxy contains two critical storage slots: one that points to the current implementation contract (the real logic) and one that stores the proxy‑admin address that is allowed to change that pointer. When Circle wants to ship a new version-v2, v2.1, v2.2 and so on-it deploys fresh logic as a new implementation contract and has the proxy‑admin call upgradeTo(newImplementation). The current implementation contract FiatTokenV2_2 can be found here. All token balances and allowances stay in the proxy’s storage, so users do not notice anything except an Upgraded event. Because of this design, the proxy‑admin is the highest‑privilege role in the system: compromise it and you can swap in malicious code that changes balances, bypasses freezes, or even bricks the token. Essentially, if you compromise the proxy admin private key, you can take full control of all USDC that exists.
The implementation contract itself, the one the proxy points to, defines a second layer of roles. At the top is the owner, an address able to reassign the other administrative roles. One level down sits the MasterMinter, who may authorize ordinary Minters and set their minting ceilings. Minters are the addresses that actually call mint() and place new USDC in circulation. Separate roles exist for operational controls: the Pauser can halt every transfer with a single pause() call, and the Blacklister can freeze or unfreeze specific addresses. In practice, Circle keeps the proxy‑admin and owner inside multisignature wallets so that several distinct keys must sign before an upgrade or ownership change is accepted. By contrast, historical evidence shows that the Blacklister, MasterMinter, and most active minters were plain externally owned accounts (EOAs–regular user wallets) controlled by individual keys.
Those design choices matter once quantum computing is considered. Any EOA that has broadcast even one Ethereum transaction has already revealed its full public key. A sufficiently powerful quantum computer can feed that public key into Shor’s algorithm and calculate the private key in polynomial time, completely bypassing the security of secp256k1. Roles held by single keys with known public keys–Blacklister, MasterMinter and the large‑allowance minters–are therefore the cheapest quantum targets. Multisig roles raise the cost because an attacker must break several keys to satisfy the signing threshold, but the underlying vulnerability is the same: every signer’s public key is recoverable from past multisig approvals.
With that in mind, several quantum‑era breach scenarios are straightforward. Breaking the MasterMinter first allows the attacker to grant themselves minter rights and create billions of unbacked USDC, collapsing the dollar peg before Circle can react. Cracking the Blacklister lets the adversary freeze exchange hot wallets or DeFi vaults at will, paralyzing large swaths of the crypto economy and extorting victims for unfreezing. If the Pauser’s key has ever been used and is therefore exposed, a quantum attacker could invoke pause() and shut down every USDC transfer on Ethereum until Circle performs an emergency upgrade. Based on our research, it is unclear whether the Pauser’s public key is known, because no pause() event has ever taken place. The ultimate nightmare is a full takeover of the proxy‑admin multisig, permitting the attacker to deploy an implementation that silently rewrites balances or steals funds outright; that requires multiple Shor runs but offers total control once achieved.
Circle’s best defenses must be put in place before a cryptographically relevant quantum computer exists. The first action would be to rotate every administrative role to post‑quantum signature schemes-ML-DSA or similar–as soon as Ethereum supports them (see here for a breakdown of post-quantum signature schemes). In the meantime, raising multisig thresholds and diversifying signers increases the quantum workload an attacker must shoulder. Minting allowances should be kept minimal and time‑locked so that even a stolen minter key cannot instantly inflate supply. Ideally, Circle would migrate to a brand-new USDC contract whose critical keys have never signed a transaction, then retire the legacy token entirely. Long-term, the whole Ethereum ecosystem needs account‑abstraction wallets that use quantum‑safe signatures by default so that every USDC holder, not only Circle, is protected.
In short, USDC’s current architecture is robust against classical attackers but rooted in cryptography that a large‑scale quantum computer will break. Because almost all privileged keys have already exposed their public components, a quantum adversary would have a clear and technically simple sequence of targets–starting with the single‑key Blacklister and MasterMinter and culminating with the multisig proxy‑admin. Unless USDC and Ethereum migrate to post‑quantum schemes before that day arrives, the first credible quantum computer could, quite literally, write its own check.
Stablecoins have evolved from a niche innovation into a mainstream financial instrument over the past five years. In that time, the total market capitalization of all stablecoins–including USDC–has grown 20-fold, surpassing $250 billion.
With the recent passage of the GENIUS Act establishing a regulatory framework for stablecoin issuance in the U.S., major financial institutions are now poised to enter the market. Fast forward five more years, and it’s entirely plausible that a significant share of global payments could be settled over stablecoin rails.
As discussed in this piece, custodial stablecoins like USDC remain vulnerable to quantum adversaries. The more deeply stablecoins become embedded in the U.S. financial system, the more attractive they become as targets for nation-states as quantum adversaries.
In Bitcoin, the primary motivation of an adversary would likely be to profit from lost or vulnerable assets. But stablecoins built on networks like Ethereum or Solana provide nation-states that possess a quantum computer an opportunity to directly attack the financial system of an adversary in a totally unattributable way.
In modern finance, confidence is everything. A successful attack wouldn’t need to drain funds–merely undermining the perceived integrity of a stablecoin could trigger a crisis of confidence and send shockwaves through markets.
That’s why it’s essential to build these systems with post-quantum security from day one.