Hegotia is a serious engineering effort. The Ethereum Foundation and EIP authors working on post-quantum migration deserve credit for addressing a real problem with rigorous analysis. This article is not a criticism of their competence or intentions.
It is an analysis of a structural problem that competent engineers working on Hegotia know about and have discussed publicly. The gap between “Ethereum will support PQC wallets” and “Ethereum is quantum-safe” is not a gap they are hiding. It is a gap that is genuinely very difficult to close, for reasons rooted in the design of decentralized systems.
What Hegotia Actually Proposes
Hegotia (a working name for Ethereum’s post-quantum migration fork) proposes to add support for PQC signature schemes alongside ECDSA. The primary EIPs in the Hegotia track include:
- New transaction types that can carry PQC signatures (ML-DSA or FN-DSA)
- New account types that use PQC public keys
- Migration tooling for wallets to transition from ECDSA keys to PQC keys
This is technically sound. A new wallet created after Hegotia activates can use ML-DSA from the start. That wallet is quantum-safe in the same way a QNTM wallet is quantum-safe: its private key cannot be derived from its public key using Shor’s algorithm.
The problem is not what Hegotia adds. The problem is what it cannot change.
The Existing Wallet Problem
Ethereum has been running since 2015. As of 2026, there are tens of millions of active Ethereum addresses, holding collectively hundreds of billions of dollars in ETH and ERC-20 tokens. Every single one of those addresses uses ECDSA.
When you create an Ethereum wallet today, you generate a secp256k1 key pair. The private key is a 256-bit random number. The public key is derived from it using elliptic curve multiplication. The Ethereum address is the last 20 bytes of the keccak256 hash of the public key.
Before any funds are spent from the address, the public key is hidden behind the hash. This provides one layer of pre-quantum protection: an adversary would need to either invert keccak256 (classically hard, quantum provides quadratic speedup via Grover) or wait until the public key is revealed in a transaction.
When you spend from the address, the public key appears in the transaction. At that point, the quantum vulnerability is fully exposed. Any address that has ever spent funds has its ECDSA public key permanently recorded on-chain.
After Hegotia, those existing addresses are not migrated. They are not patched. They remain ECDSA addresses with all the quantum exposure that implies.
The only path forward for existing address holders is voluntary migration: create a new PQC wallet, send funds to it, abandon the old ECDSA address. This requires every wallet owner, exchange, custodian, smart contract, and protocol to execute a migration correctly.
Who Will Not Migrate
Run the realistic scenarios:
Lost key holders. Chainalysis estimates 3-4 million BTC are permanently inaccessible due to lost keys. The Ethereum ecosystem has similar losses. Lost-key addresses cannot be migrated because there is no private key to sign the migration transaction.
Inactive holders. People who bought ETH in 2017, lost track of it, and may or may not rediscover it in 2030. They do not know a migration exists, will not perform it, and their funds sit in ECDSA addresses indefinitely.
Institutions with complex custody. Multi-signature Gnosis Safe deployments, exchange cold storage with air-gapped signers, hardware wallets in safe deposit boxes. Migrating these requires coordinating multiple keyholders, updating hardware wallet firmware, and regenerating quorum configurations. The operational overhead is significant, and mistakes can result in permanent fund loss.
Small balance holders. Someone with $50 of ETH in a 2019 MetaMask wallet has no economic incentive to pay $10-30 in gas fees to migrate to a new address. Rational actors with small balances will not migrate.
The deceased. Funds inherited without proper key management documentation cannot be migrated.
In aggregate: a meaningful fraction of Ethereum’s total ETH supply and ERC-20 holdings will remain in ECDSA addresses permanently. The exact fraction is unknowable, but given historical patterns with protocol migrations, it is likely above 20%.
The Smart Contract Problem
Ethereum’s value is not just the ETH token. It is the ecosystem of smart contracts that hold, lock, and manage ETH and ERC-20 tokens. As of 2026, hundreds of billions of dollars are deployed in smart contracts.
Many of those contracts verify ECDSA signatures directly. Examples:
Gnosis Safe (now Safe). The most widely used multisig wallet on Ethereum. Safe contracts verify ECDSA ecrecover signatures to authorize transactions. Every Safe deployment is an ECDSA verifier. Migrating a Safe to PQC requires deploying a new contract, migrating all assets to the new contract, and getting quorum approval from all existing signers using their current (ECDSA) keys.
ERC-20 permit signatures. The EIP-2612 permit function allows gasless approvals via ECDSA signatures. Dozens of major DeFi protocols use permit signatures. These are embedded in contract ABIs and would require protocol upgrades to support PQC signature types.
ECDSA-based bridges. Cross-chain bridges often use ECDSA multisig committees to authorize withdrawals. Bridge contracts are some of the most heavily audited contracts in DeFi precisely because they are high-value targets. Migrating bridge contracts to PQC signature verification requires full redeployment, re-auditing, and migration of locked funds.
Meta-transaction relayers. EIP-2771 and similar patterns involve relayers verifying user signatures before submitting transactions. If the relayer verifies ECDSA signatures, it cannot accept PQC signatures without a contract upgrade.
Each of these contracts is maintained by an independent team. Each upgrade requires a security audit, a governance vote or multisig approval, testing, deployment, and often a migration of locked assets. The coordination required is not months; it is years, and it requires simultaneous motivation from hundreds of independent teams.
The Immutable History Problem
Even after every living wallet owner migrates and every upgradeable contract is upgraded, the problem of historical transactions remains.
Ethereum’s history from 2015 to Hegotia activation is a permanent record of ECDSA signatures. Those signatures are not security-sensitive in the same way active wallet keys are, because the funds have already moved. But the metadata is significant.
Consider what ECDSA key recovery allows on historical transactions: linking pseudonymous addresses to real identities through on-chain behavior, cross-referencing against off-chain data leaks, and identifying clusters of addresses controlled by the same entity. This is already done with classical tools. A CRQC extends this capability by allowing adversaries to verify key relationships that classical analysis can only estimate probabilistically.
For Ethereum’s privacy posture, the historical ECDSA record is a permanent liability.
The Coordination Problem Compared to Bitcoin
Bitcoin’s situation is arguably worse than Ethereum’s. Bitcoin has no migration path. There is no active PQC EIP, no Foundation coordinating upgrade planning, and Bitcoin’s conservative governance makes even uncontroversial protocol changes take years.
Bitcoin’s only realistic quantum-safety response is a full hard fork to replace ECDSA with a PQC scheme. The political and coordination overhead of such a fork would make Ethereum’s Hegotia look straightforward. And even if executed, the same problems apply: historical chain, lost wallets, address reuse.
Ethereum, at least, has active technical planning and a Foundation capable of coordinating ecosystem participants. This is a genuine advantage. Hegotia will likely succeed as an engineering deliverable. The question is what it achieves.
The Economic Incentive Misalignment
Migration has costs and risks. The gas cost of moving funds to a new address is real. The risk of making a mistake during migration (sending to wrong address, losing access during key rotation) is real. The benefit of migration is protection against a threat that has not materialized yet.
For most ETH holders, the expected value calculation does not favor migration until the threat is imminent. By the time the threat is imminent, a large fraction of holders will have missed the window to migrate cleanly. A CRQC announcement will trigger a panic migration wave, high gas prices, mistakes, and predictable exploitation of the chaos.
Protocols that require user action to be safe, under future threat conditions that are not immediately visible, systematically underperform on safety. This is not a criticism of user behavior. It is a prediction based on how humans respond to low-probability future threats.
What a Clean-Start Chain Can Do
QNTM has no ECDSA wallets. No ECDSA contracts. No ECDSA history.
Every wallet address in QNTM’s history is ML-DSA from genesis. Every transaction ever executed on QNTM is signed with a post-quantum algorithm. There is nothing to migrate because there was never anything to migrate from.
This is a genuine structural advantage that migration chains cannot replicate by definition. QNTM cannot offer Ethereum’s ecosystem depth, its existing DeFi liquidity, or its developer tooling maturity. Those are real advantages Ethereum has earned over a decade of operation.
But Ethereum cannot offer QNTM’s clean security posture, and cannot acquire it through any fork, EIP, or migration effort. The historical ECDSA chain exists. The unmigrated wallets will exist. The unupgraded contracts will exist. Those facts cannot be forked away.
Migration chains and genesis chains are solving different problems. Ethereum with Hegotia will be better than Ethereum without Hegotia. The question is whether “better” is sufficient for the threat model.
Key Takeaways
- Hegotia is a credible engineering effort. The structural problems described here are not hidden; they are known to the teams involved.
- Existing ECDSA wallets will not fully migrate. Lost keys, inactive holders, and economic incentive misalignment guarantee a persistent ECDSA population on Ethereum.
- Smart contracts that verify ECDSA signatures (Gnosis Safe, DeFi permit patterns, bridges) require independent upgrades by hundreds of separate teams. This is a multi-year coordinated effort.
- Historical ECDSA transactions are permanent. Ethereum’s record from 2015 onward cannot be altered.
- QNTM has no ECDSA history to migrate. This is the structural difference between a genesis PQC chain and a migration PQC chain.