The first EVM-compatible, post-quantum L1.

Quantum-safe before Q-Day. No migration required.

NIST CRYSTALS-Dilithium signatures, native account abstraction, and STARK signature aggregation — running today on a Cancun-spec EVM. Solidity, Hardhat, MetaMask: unchanged.

Get on our radarRun a Devnet NodeView on GitHub
Built on:NIST FIPS 204 / 205MIT licensed0.18.0 shippedOpen source

Why now

The clock is no longer hypothetical.

Post-quantum cryptography is no longer a research topic — it is a federally-mandated transition with a published timetable.

WhenWhatWhy it matters
2024-08NIST FIPS 203/204/205 finalized[1]Kyber, Dilithium and SPHINCS+ become US federal post-quantum standards.
2025NSA CNSA 2.0 enforcement window opens[2]US National Security Systems begin mandatory PQ migration timetable.
2030–2035CRQC (cryptographically-relevant quantum computer) maturity window[3]NIST IR 8413 evaluation report: when classical asymmetric cryptography is expected to be at risk.
Today“Harvest now, decrypt later” attacks already active[4]Cloud Security Alliance: long-lived encrypted data is being collected today for future quantum decryption.
On-chain assets currently secured by ECDSA / Schnorr
>$2 Trillion
Bitcoin + Ethereum + major EVM L2 TVL, all bound to pre-quantum signatures.Migration window for an immutable chain: zero.
  1. [1][2024-08] NIST FIPS 203/204/205 finalized
  2. [2][2025] NSA CNSA 2.0 enforcement window opens
  3. [3][2030–2035] CRQC (cryptographically-relevant quantum computer) maturity window
  4. [4][Today] “Harvest now, decrypt later” attacks already active

Defensible technology

Three protocol-level designs — shipped, benchmarked, open-source.

Every claim below maps to code already in the public repository.

#01

Native post-quantum signatures

CRYSTALS-Dilithium3 (FIPS 204) by default; SPHINCS+ (FIPS 205) as conservative fallback. Verification is exposed as an EVM precompile, transparent to Solidity.

shell-crypto, shell-evm/precompiles
#02

Native account abstraction (not ERC-4337)

Three protocol-level validation paths: first-use, default account, custom validator. External addresses are 0x + 64 hex; internally still 20-byte EVM addresses, so all tooling works. Key rotation never changes the address — no bundler, no paymaster.

shell-core::transaction · ACCOUNT_ABSTRACTION_GUIDE.md
#03

STARK signature aggregation

Winterfell STARK proofs aggregate all Dilithium3 signatures in a block into a single proof. The proving pipeline is fully asynchronous — it has never blocked consensus in benchmark or soak runs. Combined with Zstd and pubkey deduplication, the three-layer pipeline reduces a 7.76 MB worst-case block (30M gas / 2 s) to ~425 KB on disk after the proving window — an ~18× end-to-end reduction. STARK peak compression is 7.1× at batch=5 (4–7× sustained).

tools/stark-bench · BENCHMARKS.md
~18×
End-to-end reduction
7.76 MB → ~425 KB · A1 Zstd + A2 dedup + A3 STARK
source: BENCHMARKS.md
157 proofs/sec
Sustained throughput
6-hour soak, 0 failures
source: BENCHMARKS.md
18.7 ms
p99 proof latency
Mean 6.4 ms / proof
source: BENCHMARKS.md

Traction

Code, not roadmaps.

Every shipped milestone links to a public release tag. Every number on this page links to a benchmark file, commit, or NIST document.

19
Rust crates
source: ShellDAO/shell-chain
1200+
Tests passing
source: ShellDAO/shell-chain
69
Audit findings closed
source: release notes
v0.18.0
Current release
Native Account Abstraction Phase 1 + Operations Hardening
source: GitHub release
  1. ShippedM13 — STARK Signature Aggregation PoC

    Winterfell prover: A3 STARK layer compresses Dilithium3 signatures 7.1× (batch=5). Combined A1+A2+A3 pipeline: ~18× end-to-end (7.76 MB raw → ~425 KB pruned).

  2. ShippedNative Account Abstraction

    Protocol-level smart accounts; pq1… Bech32m addresses; key rotation without changing address.

  3. Shipped3-way block-storage pruning

    Hot / warm / cold tiers; ZSTD compression for cold layer.

  4. ShippedStorage profiles (archive / full / light)

    Single-flag node classification; P2P StorageCapability advertisement; auto back-fill of historical bodies.

  5. ShippedSecurity & efficiency hardening

    Architecture re-split, consensus slashing wired in, network amplification fix, bounded mempool channels, supply-chain CI.

  6. ShippedNative AA Phase 1 + Operations Hardening

    Batch transactions (0x7E tx type, atomic InnerCall execution), native paymaster (sponsored gas), storage profiles CLI, Prometheus metrics, /healthz + /readyz probes, witness verification RPC.

  7. NextPublic incentivized testnet

    External validator onboarding, faucet, audit kickoff.

  8. PlannedMainnet genesis

    After audit close-out and 90-day stable testnet.

Tokenomics

Where value accrues.

SHELL is not a governance toy. Each PQ verification, each key rotation, each STARK proof directly consumes the token.

#01

Gas token

All transaction fees denominated in SHELL with EIP-1559 base fee + tip; base fee burned.

#02

Validator stake

wPoA stake-weighted proposer selection; slash conditions cover double-sign and equivocation (live since v0.17).

#03

Aggregator bond

STARK prover nodes post a SHELL bond and earn fees per accepted aggregation proof.

#04

PQ verification services

Off-chain DID resolution and key-rotation attestation are settled in SHELL.

Detailed allocation, vesting, and treasury policy are covered in the investor memo (NDA-gated).

Risk disclosure

What we are not pretending.

We surface the five risks investors most often raise. Each one is paired with a concrete, shipped or scheduled mitigation.

R01

A NIST PQ algorithm is later broken

↳ MitigationMulti-algorithm Verifier trait; new schemes can be added without a hard fork.
R02

STARK prover network centralisation

↳ Mitigationv0.18 roadmap opens proving to bonded operators with slashing.
R03

Inherited EVM vulnerabilities

↳ MitigationBuilt on revm — among the most-audited EVM implementations; 69 internal audit findings already addressed.
R04

Thin early ecosystem

↳ MitigationFull viem / Hardhat / MetaMask compatibility — any Ethereum dApp re-deploys with zero code change.
R05

Regulatory uncertainty

↳ MitigationProtocol holds no user assets; DID layer decoupled from KYC; MIT-licensed open source.
Read the full risk register →

Investors

Get on our radar.

We share testnet milestones, audit results, and token-economics updates directly with investors who register early.

No spam. One-click unsubscribe.