Glossary — QorTrace Docs

░E█*P4P%KMC</1>KZN@MX@\UV2D$V49/J<4?5C·P&Q1TT63KPMRBP48DNRNR99▓SG2A?RC>BT74GCV7/GS23CE6*░6▒Y?B4442B#YJ>VSR#W▒RN9*H\BRQNWRRTV8TG@802G8653Y9YN░MKQ0V&B#RGH\<N▓UF8DXW▒<<SHBMG·5$W**R░8$DA&S0@░4$KU62#1<Y31$RN5N5R6RMJ>▓GVP··%NH*D8*R9ZSM@&SZG#AU3D5085SC#EUJ2>FR░T9RETR8V8ZZW548DK8<FKQ▓DKT8%B▒JA█3$?6M@U0E▒&SAJGG<$4*#Z??\UX\7BNX░░E█*P4P%KMC</1>KZN@MX@\UV2D$V49/J<4?5C·P&Q1TT63KPMRBP48DNRNR99▓SG2A?RC>BT74GCV7/GS23CE6*░6▒Y?B4442B#YJ>VSR#W▒RN9*H\BRQNWRRTV8TG@802G8653Y9YN░MKQ0V&B#RGH\<N▓UF8DXW▒<<SHBMG·5$W**R░8$DA&S0@░4$KU62#1<Y31$RN5N5R6RMJ>▓GVP··%NH*D8*R9ZSM@&SZG#AU3D5085SC#EUJ2>FR░T9RETR8V8ZZW548DK8<FKQ▓DKT8%B▒JA█3$?6M@U0E▒&SAJGG<$4*#Z??\UX\7BNX░

T8KBT85*N1Y#XH█$BVZ░&>ZR/·GF5&R··5░#X1SNJ/\F51Q█U</U2H?9ECKBC█?G&FJ44#G\FJ8▒B9UHP&<#RXK*5>1YC<▒AC<#▒<▒5>FDUFKKT<RE$#9&PK\/░>01░@FA?67Q·0EV▒$K?V▓XT$&8B>&Z03▒P\?·4>▓█H3115H\\X@H*PB·░HX$N8/7M·5Q1**▒&X8<Y/*T█▒E█4W▒N8C4?▒>@YS4*G5J5%*BXKY▒MT█QQEG7SS█A\\▒QY8█Y\*U#EY4%UQ<M/@UQR7S**2JHM55BB8>&QH4X░96░64▓@▓E7<&P$&MZ▒DN%MCS1@F$N4T8KBT85*N1Y#XH█$BVZ░&>ZR/·GF5&R··5░#X1SNJ/\F51Q█U</U2H?9ECKBC█?G&FJ44#G\FJ8▒B9UHP&<#RXK*5>1YC<▒AC<#▒<▒5>FDUFKKT<RE$#9&PK\/░>01░@FA?67Q·0EV▒$K?V▓XT$&8B>&Z03▒P\?·4>▓█H3115H\\X@H*PB·░HX$N8/7M·5Q1**▒&X8<Y/*T█▒E█4W▒N8C4?▒>@YS4*G5J5%*BXKY▒MT█QQEG7SS█A\\▒QY8█Y\*U#EY4%UQ<M/@UQR7S**2JHM55BB8>&QH4X░96░64▓@▓E7<&P$&MZ▒DN%MCS1@F$N4

Plain-English reference for the quantum, cryptography, blockchain, DeFi, and cybersecurity terms you'll meet across QorTrace reports and the wider sector.

A plain-English reference for the quantum, cryptography, blockchain, DeFi, and cybersecurity terms you'll encounter across QorTrace reports — and across the wider onchain economy.

Tip — use the right-hand letter index to jump straight to a section, or press ⌘ K / Ctrl K anywhere on the site and type a term to land on its definition.

This is a living document. If you find a term we're missing, ping hello@qortrace.com and we'll fold it in.

A

AES (Advanced Encryption Standard)

Symmetric block cipher standardised by NIST in 2001 (FIPS 197). AES-128 and AES-256 are still considered safe against classical adversaries; Grover's algorithm only halves the effective key length, so AES-256 stays quantum-safe while AES-128 is borderline.

Algorithm agility

The architectural property of being able to swap cryptographic primitives without rewriting the application around them. The single biggest determinant of how painful your PQC migration will be.

AML

Anti-Money-Laundering. Regulatory framework covering KYC, transaction monitoring, and Suspicious Activity Reports. Onchain AML providers (TRM, Chainalysis, Elliptic) score addresses by exposure to sanctioned entities.

AMM

Automated Market Maker. A DEX design that prices assets from a deterministic curve over pooled reserves rather than an orderbook. Uniswap v2's x · y = k is the canonical example; v3 added concentrated liquidity.

APT

Advanced Persistent Threat. A nation-state-grade adversary that targets a specific organisation, often over months. The presumed harvester behind most "Harvest Now, Decrypt Later" worry-sets.

Atlas

QorTrace's continuous treasury-monitoring product. Tracks PQC posture across an organisation's wallets + smart contracts and alerts on cryptographic drift.

Attestation

A signed statement that some property holds — e.g. "this binary was produced by this build pipeline." Sigstore, in-toto, and SLSA all formalise attestation formats relevant to onchain supply chains.

Audit trail

Append-only, tamper-evident log of who touched what and when. Every QorTrace audit deliverable carries a hash-chained audit trail signed by the methodology version in force.

B

BFT

Byzantine Fault Tolerance. A consensus property — the system stays correct even if up to f of 3f+1 participants are arbitrarily malicious. PBFT, HotStuff, and Tendermint all descend from this lineage.

BLS signature

Boneh–Lynn–Shacham signature scheme. Aggregatable — n signatures collapse into one — which is why Ethereum's beacon chain uses BLS for validator attestations. Vulnerable to Shor like all pairing-based schemes.

Block

The atomic ledger unit in a blockchain. Contains a header (parent hash, timestamp, Merkle root) and an ordered list of transactions.

Block explorer

Web UI that indexes a blockchain so humans can browse blocks, transactions, balances, and contract state. Etherscan, Blockstream, Solscan, Tronscan.

Bridge

Protocol that moves value or messages between two blockchains. The single most hacked surface in crypto: more than $2.5B stolen across bridge exploits since 2021. PQC migration of bridge attestation keys is one of QorTrace's top priorities for the sector.

Bytecode

The compiled, on-chain form of a smart contract — what an EVM (or eBPF, MoveVM, etc.) actually executes. Audits operate on either the source or the bytecode; QorTrace verifies both match.

C

CBDC

Central Bank Digital Currency. A central-bank-issued digital fiat. Most CBDC designs use ECDSA or Schnorr; migrating to PQC before issuance is a hard deadline several central banks are now planning against.

CertTransparency

Certificate Transparency. Append-only public logs of every TLS certificate issued, so domain owners can detect mis-issuance. The model QorTrace's hash-chained audit log is loosely inspired by.

CEX

Centralized Exchange. A custodial trading venue (Coinbase, Binance, Kraken). Holds customer assets and private keys; the prime target for both classical breach and a future HNDL decryption event.

CNSA 2.0

NSA's Commercial National Security Algorithm suite, version 2.0 (reissued September 2025). Mandates post-quantum signatures (LMS, ML-DSA) and KEMs (ML-KEM) for national-security systems by 2030 / 2035 depending on category. QorTrace's institutional benchmark for "quantum-safe today."

Commit-reveal

A two-phase scheme where a participant first publishes a hash of their value (commit) and later publishes the value itself (reveal). Used to prevent front-running, MEV extraction, and bid sniping.

Cold wallet

A wallet whose private keys never touch an internet-connected device. Hardware wallets (Ledger, Trezor), air-gapped laptops, paper wallets, etc.

Consensus

The mechanism by which a decentralised network agrees on a single canonical history. PoW (Bitcoin), PoS (Ethereum, Solana), DAG-based (Avalanche), BFT-derived (Cosmos, Aptos).

CRQC

Cryptographically-Relevant Quantum Computer. A quantum computer with enough logical qubits to break a deployed cryptosystem. Most credible near-term estimates put CRQC arrival in the early-to-mid 2030s; QorTrace's Q-Day Clock tracks the consensus median.

Cryptanalysis

The discipline of breaking cryptosystems (or proving they can't be broken). Modern cryptanalysis is both classical (algebra, lattice reductions, side channels) and quantum (Shor, Grover).

Custody

Holding someone else's private keys. Custodial: a third party signs for you. Non-custodial: you sign. Self-custody is the design assumption of most DeFi but the operational nightmare of most consumers.

CVE

Common Vulnerabilities and Exposures. The MITRE-maintained registry of disclosed software vulnerabilities. Every CVE has a CVE-YYYY-NNNN identifier.

CVSS

Common Vulnerability Scoring System. Standardised 0.0–10.0 severity score for CVEs. v3.1 is current; v4.0 launched in late 2023 and is gradually displacing v3.

D

DAO

Decentralized Autonomous Organization. A smart-contract-governed entity whose decisions are taken by token-weighted vote. Notable failures: The DAO (2016), Beanstalk (2022). Notable runtime: Uniswap, MakerDAO, Compound.

dApp

Decentralized Application. A frontend + smart-contract pair. The frontend usually still runs on classical infrastructure (Vercel, AWS) — a frequently under-noticed concentration risk.

Decoherence

The loss of quantum coherence as a qubit interacts with its environment. The fundamental engineering challenge of building useful quantum hardware.

DeFi

Decentralized Finance. Smart-contract-native financial primitives — lending, trading, derivatives, insurance — running on public chains.

DEX

Decentralized Exchange. A non-custodial trading venue, usually AMM-based. Uniswap, Curve, Balancer, dYdX (perps), Jupiter (Solana).

Digest

The fixed-length output of a hash function. Synonymous with hash in casual speech but technically distinct: digest is the value, hash is the function.

Discrete log

The mathematical problem ECDSA, ECDH, and DSA rest on. Believed hard classically, solvable by Shor's algorithm in polynomial time on a CRQC.

DORA

Digital Operational Resilience Act. EU regulation (in force January 2025) mandating ICT resilience and cryptographic agility for financial firms. PQC readiness is explicitly in scope.

DRBG

Deterministic Random Bit Generator. A pseudorandom generator seeded from true randomness. NIST SP 800-90A specifies CTR-DRBG, Hash-DRBG, HMAC-DRBG.

E

ECDH

Elliptic-Curve Diffie–Hellman. Asymmetric key-agreement protocol. Breaks under Shor; PQC replacement is ML-KEM.

ECDSA

Elliptic-Curve Digital Signature Algorithm. The signature scheme used by Bitcoin, Ethereum, and most EVM chains. Vulnerable to a sufficiently large fault-tolerant quantum computer running Shor's algorithm. PQC replacements: ML-DSA, SLH-DSA, FN-DSA.

EIP

Ethereum Improvement Proposal. The change-management process for Ethereum itself. Core EIPs ship in network upgrades; ERC-prefixed proposals are application-level standards.

EIP-4337

Ethereum standard for Account Abstraction without protocol changes — introduces a parallel UserOperation mempool and EntryPoint contract. QorTrace audits 4337 stacks for PQC-readiness of validators and paymasters.

EIP-7702

Ethereum upgrade (Pectra, May 2025) letting EOAs temporarily delegate to smart-contract code for the duration of a transaction. Massively expands the "AA surface" and the corresponding PQC audit scope.

EOA

Externally-Owned Account. An Ethereum account controlled by a private key (rather than smart-contract logic). The default account type for users.

Entropy

Randomness, measured in bits. Cryptographic operations require high-entropy sources; weak entropy is one of the most catastrophic and common failures in production crypto (cf. Debian OpenSSL 2006-2008, Bitcoin wallet collisions).

EVM

Ethereum Virtual Machine. The stack-based VM that executes Ethereum smart contracts. Solidity and Vyper compile to EVM bytecode. EVM-compatible chains include Polygon, BNB Chain, Avalanche C-Chain, Base, Arbitrum, Optimism.

F

Fault-tolerant

A quantum computer architecture that uses error correction to remain reliable despite physical-qubit decoherence. Probably the precondition for a CRQC.

Finality

The point at which a transaction is committed and cannot be rolled back. PoS chains usually have probabilistic finality (Ethereum: ~13 minutes via the checkpoint mechanism); BFT chains have deterministic finality.

FIPS 140

NIST's cryptographic module validation standard. FIPS 140-3 is current. Modules certified under FIPS 140 are the only ones US Federal systems are allowed to deploy.

FIPS 203

NIST standard for ML-KEM, the lattice-based key-encapsulation mechanism. Finalised August 2024.

FIPS 204

NIST standard for ML-DSA, the lattice-based signature scheme. Finalised August 2024.

FIPS 205

NIST standard for SLH-DSA, the hash-based signature scheme. Finalised August 2024.

FN-DSA

Falcon-based signature scheme (also called Falcon). The fourth FIPS PQ signature, smaller than ML-DSA but harder to implement constant-time.

Front-running

Observing a pending transaction in the mempool and submitting a higher-gas transaction that executes first to profit from the original. A subset of MEV.

Fuzzing

Automated mutation-based input testing. Standard equipment for serious smart contract audits: Foundry's forge fuzz, Echidna, Medusa.

G

Gas

The unit of compute on EVM chains. Each opcode has a fixed gas cost; users pay gas_used × gas_price in the chain's native asset. EIP-1559 split this into a base_fee (burnt) and a priority_fee (tip to the validator).

Genesis block

The first block of a blockchain, hardcoded into the protocol. Block height 0.

Governance

The off-protocol process by which a chain or dApp makes change decisions. On many DeFi protocols, governance is itself a smart contract (e.g. Compound's GovernorBravo).

Grover's algorithm

A quantum algorithm that gives a quadratic speedup for unstructured search, reducing brute-force key recovery from 2^n to 2^(n/2). Why AES-256 is considered safe but AES-128 is borderline.

gRPC

A high-performance RPC framework used widely by validator clients (Solana, Cosmos SDK chains, IBC relayers). Worth knowing because its TLS posture is the wire-level crypto you'll audit.

H

Hardfork

A non-backward-compatible chain upgrade. Nodes that don't upgrade fall onto a separate chain (e.g. Ethereum / Ethereum Classic, Bitcoin / Bitcoin Cash).

Hash function

A deterministic function that maps arbitrary input to a fixed-length output with three properties: pre-image, second-pre-image, and collision resistance. SHA-2, SHA-3, BLAKE3 are the modern standards.

HD wallet

Hierarchical Deterministic wallet. BIP-32-derived wallet where one seed phrase deterministically generates an infinite tree of child keys. Standard for software, hardware, and mobile wallets.

HNDL

Harvest Now, Decrypt Later. An adversary records ciphertext today, betting that future quantum hardware will let them decrypt it. The single most important threat model for long-lived secrets — private keys, vault contents, KYC archives, mnemonic phrases.

HSM

Hardware Security Module. Tamper-resistant device that performs cryptographic operations without exposing keys to software. AWS CloudHSM, Thales Luna, YubiHSM. Often FIPS 140-3 certified.

Hybrid signature

A composite signature (classical, post-quantum) that's accepted only if both pieces verify. The QorTrace-recommended migration path: deploy hybrid first, retire classical when CRQC arrival is imminent.

I

Identity

Onchain, an address. Off-chain, the linkage between an address and a human or institution. Identity primitives in crypto (ENS, Lens, Farcaster, DIDs) all ultimately rest on classical signatures and so inherit the PQ migration problem.

IBC

Inter-Blockchain Communication. The Cosmos ecosystem's native bridging protocol. PQC-relevant because IBC light clients verify counter-party signatures using ed25519 today.

Immutability

A property of public blockchains: once finalised, history cannot be altered. Often misunderstood — bridges, rollups, and CEX deposits are very much mutable until they hit a base layer.

IMC

Immutable Code. The category of bytecode that, once deployed, cannot be upgraded. Some auditors only certify IMC contracts; QorTrace certifies both, labelled distinctly.

ISO 27001

The international standard for information-security management systems (ISMS). QorTrace's customers regularly cite ISO 27001 in audit scope.

J

JIT

Just-In-Time compilation. Used by some chains' VMs (e.g. Solana via eBPF

LLVM). The JIT compiler itself is a security-relevant target: corruption there means corruption of everything it compiles.

JSON-RPC

The wire format most chains use to expose node functionality. eth_* methods, solana_*, etc. The TLS posture in front of public RPC providers (Alchemy, Infura, QuickNode) is part of an organisation's quantum surface.

JWT

JSON Web Token. A signed/encrypted token format used by web APIs. Most JWTs in production are HMAC-signed (quantum-safe) but the RSA / ECDSA variants appear in OIDC stacks and inherit the PQ migration problem.

K

KEM

Key Encapsulation Mechanism. A primitive that an encryptor uses to generate a fresh symmetric key encrypted under a recipient's public key. ML-KEM (FIPS 203) is the post-quantum standard.

KEV

Known Exploited Vulnerabilities catalogue. CISA-maintained list of CVEs that have been observed under active exploitation. Tier-1 patch-urgency signal for any operations team.

Key derivation

Deriving one or more secret keys from a master secret + context. Standards: HKDF (HMAC-based), Argon2id (password hashing → key derivation).

Key rotation

The operational practice of replacing keys on a schedule. Often skipped for "root" keys (HSM-resident, hardware-wallet-resident); these are the highest- value HNDL targets.

KMS

Key Management Service. Cloud-provider-hosted key store with HSM-backed operations (AWS KMS, GCP KMS, Azure Key Vault). The cryptographic crown jewels of most modern stacks.

KYC

Know Your Customer. Identity-verification process required of regulated custodians. The KYC document archive is one of the most quantum-sensitive secret stores any onchain business holds.

L

L2

Layer 2. A chain that inherits security from a base layer (most commonly Ethereum) while batching execution off-chain. Optimistic rollups (Arbitrum, Optimism, Base) and ZK rollups (zkSync, Linea, Scroll, Starknet).

Lattice cryptography

The family of post-quantum cryptosystems based on hardness assumptions over algebraic lattices (Learning With Errors, Module-LWE, NTRU). The dominant PQ family — ML-KEM, ML-DSA, FN-DSA all sit here.

Lending protocol

DeFi primitive that lets users deposit collateral and borrow against it. Aave, Compound, Morpho, Spark.

Liquidation

Forced sale of a borrower's collateral when their position becomes under-collateralised. The mechanism that keeps lending protocols solvent.

Liquidity

The total assets a pool / protocol can absorb without significant slippage. Onchain liquidity is measured in TVL or in pool-depth at a given spread.

LMS

Leighton-Micali Signature. Hash-based stateful signature scheme standardised by NIST (SP 800-208) and approved under CNSA 2.0. Stateful schemes are more efficient than SLH-DSA but require careful state management.

LOC

Lines of Code. A crude but useful complexity proxy. QorTrace pricing includes LOC as one signal; reviewers' effort is weighted by total LOC × code density.

M

MACI

Minimum Anti-Collusion Infrastructure. A privacy-preserving voting protocol using ZK proofs. Notable user: Gitcoin Passport, Snapshot.

Mempool

The pool of unconfirmed transactions waiting to be included in a block. The playground for front-runners, sandwichers, and search-based MEV.

Merkle tree

A hash tree that lets you prove inclusion / non-inclusion in O(log n). The backbone of every blockchain's state-commitment scheme.

MEV

Maximal Extractable Value. The total value a block producer can extract by ordering, including, or censoring transactions. Currently dominated by DEX arbitrage and liquidation sniping.

Methodology version

A pinned identifier (e.g. qortrace-method-v0.2) stamped onto every audit report. Old reports remain reproducible against the version they were scored under, so customers can trust the historical record.

Migration window

The time available to swap classical cryptography for PQC before HNDL adversaries gain decrypt capability. For a 30-year-secret stored today, the window closed the day NIST finalised FIPS 203/204/205.

Minting

Creating new tokens. Usually programmatic (ERC-20 _mint); sometimes capped, sometimes uncapped.

ML-DSA

Module-Lattice-based Digital Signature Algorithm (NIST FIPS 204). One of the standardised post-quantum signature schemes. Replaces ECDSA / RSA in CNSA 2.0.

ML-KEM

Module-Lattice-based Key Encapsulation Mechanism (NIST FIPS 203). The post-quantum KEM standard. Replaces ECDH / RSA-OAEP for key exchange.

Mnemonic

A 12 / 18 / 24-word phrase from the BIP-39 word list that encodes a wallet's master seed. Human-readable backup format for HD wallets.

MPC

Multi-Party Computation. A cryptographic technique that lets n parties jointly compute a function over their private inputs without revealing them. Used by enterprise wallet providers (Fireblocks, Copper, Coinbase Custody, Privy, Lit Protocol) for threshold signing.

Multisig

A wallet that requires m-of-n signatures to authorise a transaction. Gnosis Safe is the canonical EVM implementation.

N

NFT

Non-Fungible Token. A unique on-chain asset, usually ERC-721 or ERC-1155. Used for collectibles, in-game items, real-world-asset titles.

NIST

National Institute of Standards and Technology. US standards body that ran the multi-year post-quantum cryptography competition culminating in FIPS 203/204/205 (August 2024).

NIST CSF

Cybersecurity Framework. The NIST risk-management framework — Identify, Protect, Detect, Respond, Recover (CSF 2.0 added "Govern"). Maps cleanly onto PQC migration phases.

NIST SP 800-208

The standard governing stateful hash-based signatures (LMS, XMSS). Approved for federal use ahead of FIPS 205.

Nonce

A number used once. In transactions: an incrementing per-account counter preventing replay. In ECDSA signing: a per-signature random value; if it ever repeats, the private key falls out trivially.

Non-custodial

A service that never holds user keys. MetaMask, Phantom, Rabby, ledgered hardware wallets. The opposite of CEX custody.

O

Onchain

Anything whose source of truth lives in a blockchain's state. The opposite of off-chain (databases, oracles, indexers).

Oracle

A contract that delivers external data (prices, weather, sports scores) into a smart contract's state. Chainlink, Pyth, Redstone, UMA, RedStone. The single biggest attack surface in DeFi history measured by dollar loss.

OWASP

Open Worldwide Application Security Project. Authors of the OWASP Top 10 (web app risks) and the OWASP Smart Contract Top 10 (ETH-focused).

Oxidation

Slang for a chain or protocol becoming less maintained over time — fewer commits, stale dependencies, deprecated cryptography. QorTrace's monitoring explicitly flags oxidising stacks.

P

Paymaster

EIP-4337 contract that can sponsor gas for UserOperations. Lets dApps offer gas-free UX. Audit-relevant because a buggy paymaster is a literal "burn my ETH" surface.

PBFT

Practical Byzantine Fault Tolerance. A classic BFT consensus, ancestor of Tendermint, HotStuff, Casper FFG.

Permissionless

Anyone can join, transact, or build without gatekeeping. The defining property of public blockchains.

Phishing

Tricking a user into revealing credentials or signing a malicious transaction. The single largest dollar-loss category in crypto since 2022, overtaking smart-contract exploits.

PoS

Proof of Stake. Consensus mechanism where block production is weighted by staked capital. Used by Ethereum (post-Merge), Solana, Cosmos chains, Polkadot, Cardano, etc.

PoW

Proof of Work. Consensus mechanism where block production is weighted by compute spent on a hash puzzle. Bitcoin's mechanism.

Post-quantum cryptography

Public-key cryptography believed secure against both classical and quantum adversaries. The umbrella under which ML-KEM, ML-DSA, SLH-DSA, FN-DSA all sit.

Pre-image resistance

A property of a good hash function: given h = H(x), it should be computationally infeasible to find any x' with H(x') = h. Grover halves the effective security against quantum adversaries.

Private key

The secret value that lets the holder spend a wallet or sign as a validator. The single most sensitive object in any onchain system.

Q

Q-Day

The day a CRQC capable of breaking deployed cryptography arrives. QorTrace's Q-Day Clock tracks the median expert estimate; the live counter ticks down on the Threat Radar.

qortrace-method-v0.2

The currently published methodology version. Sets the rubric for audit scoring, PQC posture grading, and trust-score calculation. Each report embeds its methodology version so it stays reproducible.

QPU

Quantum Processing Unit. A quantum computer's compute fabric. Measured in physical qubits + logical qubits + gate fidelity + coherence time.

Qubit

The quantum analogue of a classical bit. Can be in superposition, entangled with other qubits, and measured to collapse into 0 or 1. Quantum advantage arises from manipulating qubits with quantum gates before measurement.

Quantum-readiness score

A single 0–100 number summarising how exposed a contract or system is to quantum threats. Combines key-scheme exposure, supply-chain crypto inventory, and migration window. Computed deterministically from the methodology rubric.

Quantum supremacy

A demonstration that a quantum computer can solve a specific (often artificial) problem faster than any classical computer. Not the same as CRQC; the gap between "supremacy benchmarks" and "breaks ECDSA" is many orders of magnitude.

Quorum

The minimum number of signers required for an action — e.g. 2-of-3 in a multisig, 2/3+1 in a BFT consensus. Quorum design is itself a security-relevant audit input.

R

Rebase

A token mechanism that periodically expands or contracts every holder's balance to track a peg. Examples: Ampleforth, OlympusDAO. Tricky to audit because the supply mutates atomically.

Reentrancy

A class of smart-contract vulnerability where a callee re-enters the caller before the caller's state mutation completes. The 2016 DAO hack was the canonical case study. Mitigated by the checks-effects-interactions pattern.

Replay attack

Replaying a previously-valid transaction or signature in a context where it should not be valid. EIP-155 introduced chain IDs to prevent cross-chain replay; many older signature schemes are still vulnerable inside a chain without explicit nonces.

RSA

Rivest-Shamir-Adleman. Asymmetric cryptosystem whose security rests on the hardness of integer factorisation. Broken by Shor's algorithm; replaced by ML-KEM (for encryption) and ML-DSA / SLH-DSA (for signatures).

Rollup

A class of L2 that posts transaction data + proofs back to L1. Optimistic rollups assume validity unless challenged; ZK rollups prove validity cryptographically.

Rug pull

A scam where a team deploys a token, attracts liquidity, then drains the pool. The single most common "exit fraud" pattern in DeFi.

S

Sandwich attack

A two-leg MEV attack: front-run a victim's swap to push the price, let the victim execute at a worse rate, then back-run to capture the spread.

Schnorr signature

A signature scheme with cleaner aggregation properties than ECDSA. Used by Bitcoin Taproot. Still classical — breaks under Shor.

SDK

Software Development Kit. Auditors evaluate SDK posture (versioning, deprecation, dependency tree) as part of supply-chain crypto inventory.

Splitting a secret into n shares such that any t recover it but t-1 reveal nothing. Shamir's Secret Sharing is the classical construction; threshold signatures are the operational extension.

Self-custody

The user controls their own keys. The defining property of a non-custodial wallet. Operationally hard at scale.

Shor's algorithm

The polynomial-time quantum algorithm that breaks ECDSA, ECDH, and RSA once enough logical qubits exist. The reason all of this matters.

Sidechain

A chain that runs in parallel to a main chain, usually with its own validator set. Distinct from a rollup because security is not inherited from the base layer.

Signature aggregation

Compressing many signatures into one verifiable object. BLS allows aggregation; ECDSA does not natively. Important because PQ signatures are significantly larger — aggregation impacts L2 data-availability costs.

Slippage

The difference between the price a user expects and the price they get. AMM trades always have non-zero slippage; the tolerance is usually a UI setting.

SLH-DSA

Stateless Hash-based Digital Signature Algorithm (NIST FIPS 205). The hash-based PQ signature alternative to ML-DSA. Larger signatures, but cryptanalytically conservative.

Smart contract

Code deployed on a blockchain that executes deterministically on chain. The asset most often audited by QorTrace.

SOC 2

American Institute of CPAs framework for service-organisation control reports. Type I = "point-in-time controls exist"; Type II = "controls operated effectively over a window." Required by most enterprise customers.

Solidity

The dominant EVM smart-contract language. C-family syntax; idiosyncrasies that drive most of the OWASP Smart Contract Top 10.

Stablecoin

A token pegged to a reference asset, usually USD. Categories: fiat-backed (USDC, USDT), crypto-collateralised (DAI), algorithmic (UST — failed), delta-neutral (USDe).

Staking

Locking tokens to participate in PoS consensus, earning yield in exchange. Slashable: validator misbehaviour costs principal.

State channel

Off-chain bilateral channel that periodically settles to L1. Lightning is the canonical example (Bitcoin); generalised state channels were the pre-rollup scaling story for Ethereum.

Supply chain (crypto)

The dependency graph of every cryptographic primitive your stack uses. The audit deliverable that comes out of the PQC Cryptographic Inventory engagement.

Sybil attack

An adversary creating many identities to gain disproportionate influence. Identity primitives and proof-of-personhood schemes exist to counter sybils.

T

Taint analysis

A static-analysis technique that tracks data flow from "tainted" sources (user input) to "sinks" (sensitive operations). Used by Slither, Aderyn, QorTrace's first-pass scanner.

Threshold signature

A signature scheme where any t-of-n participants can produce a valid signature, but t-1 cannot. Operationally close to MPC.

Timelock

A contract that delays execution of an action by a fixed period. Compound's Timelock is the canonical pattern; ubiquitous in governance.

TLS

Transport Layer Security. The wire-level encryption used by HTTPS, gRPC, RPC endpoints. PQC-relevant: TLS 1.3 hybrid handshakes (X25519+ML-KEM) are shipping in Chrome, Firefox, Cloudflare, AWS as of 2024–2025.

TPS

Transactions Per Second. A crude chain-throughput metric. Solana is typically quoted in low thousands of real TPS, Ethereum L1 at ~15, L2s varying widely.

Trust model

The set of assumptions an auditor permits — "this oracle is honest," "validators don't censor," "the deployer is not adversarial." Every audit report is conditional on its trust model.

Trust score

A 0–100 number that combines QorTrace's security score with non-cryptographic signals (test coverage, deployment hygiene, multisig posture, governance design).

TVL

Total Value Locked. The dollar value of assets deposited into a protocol. The most-quoted DeFi growth metric, though usefully critiqued (double-counts collateralised stables, sensitive to oracle pricing).

U

UserOperation

EIP-4337's pseudo-transaction object. Submitted to the AA mempool, validated by the EntryPoint, executed by a bundler.

Upgradeable contract

A smart contract whose logic can be replaced after deployment, usually via the proxy pattern (Transparent, UUPS, Beacon). Trade-off: flexibility for trust.

UTXO

Unspent Transaction Output. Bitcoin's accounting model — each transaction spends UTXOs and creates new ones. Different from Ethereum's account model.

UX (signing)

The user experience around signing. Critically under-audited surface: many losses arise from users signing what they don't understand. EIP-712 structured-data signing is one mitigation.

V

Validator

A node that participates in consensus. In PoS, validators stake capital and earn rewards; misbehaviour can be slashed.

VDF

Verifiable Delay Function. A function that requires T sequential computation steps and produces a verifiable result. Used in randomness beacons (Ethereum's eventual RANDAO upgrade).

Vault

A smart contract that holds and manages user deposits, usually with a yield strategy. Yearn, Morpho vaults, Sommelier.

VM

Virtual Machine. The execution layer that runs smart-contract bytecode. EVM, SVM (Solana), MoveVM (Aptos, Sui), CosmWasm, BPF.

VPN

Virtual Private Network. Wire-level wrapper that protects traffic from local-network adversaries. Most enterprise VPNs run IPsec or WireGuard; both are migrating to PQ-hybrid handshakes.

W

Wallet

The container — software, hardware, or paper — that holds a user's private keys and signs transactions on their behalf. Categories: cold / hot, custodial / non-custodial, single-sig / multisig, EOA / smart-contract (AA).

Whitehat

A security researcher who reports vulnerabilities responsibly, typically via a bug-bounty program (Immunefi, HackerOne) or direct disclosure. Distinct from blackhat (exploits for personal gain) and greyhat (extracts to "return" funds).

Withdrawal credential

Ethereum-staking-specific. Determines who can withdraw a validator's stake. Migration from 0x00 (BLS) to 0x01 (ETH1 EOA) was a major operational event for ETH stakers.

Wormhole

A high-profile cross-chain bridge between Solana, Ethereum, and others. Famous as a case study after a $325M signature-verification exploit in 2022.

X

X.509

The standard certificate format that powers TLS, S/MIME, code signing. PQ migration of the X.509 ecosystem is a multi-year effort coordinated by the IETF LAMPS working group.

XMSS

eXtended Merkle Signature Scheme. Stateful hash-based PQ signature standard (RFC 8391, [NIST SP 800-208](#nist-sp-800-208)). Approved for federal use ahead of FIPS 205.

Y

Yield

The annualised return on a DeFi position. Native (staking rewards, lending interest), incentive (token emissions), or strategy-derived (LP fees + auto-compounding).

Yield farming

Aggressively rotating capital across DeFi protocols to maximise incentive yield. The mode that ignited the 2020 DeFi summer.

Z

Zero-day

A vulnerability disclosed publicly before a patch exists. Distinct from "N-day" (patch exists but not deployed).

Zero-knowledge proof

A cryptographic proof that lets a prover convince a verifier of a statement without revealing anything beyond its truth. Modern flavours: zk-SNARKs, zk-STARKs, Plonk, Halo2, Groth16. Most current SNARKs use pairing-based crypto — still classical, breaks under Shor — though zk-STARKs and several newer constructions are PQ-friendly.

ZK-rollup

An L2 that proves the validity of every batch with a ZK proof. Linea, zkSync, Polygon zkEVM, Scroll, Starknet.

ZTA

Zero Trust Architecture. A security model that assumes no implicit trust based on network location. NIST SP 800-207. Frequently combined with PQC migration roadmaps because both touch identity, transport, and key management.

Last updated: May 2026 · qortrace-method-v0.2. Spot something missing? Open an issue or email hello@qortrace.com.

Glossar8

A