ELLIPAL — Institutional Custody Risk Rating
LISR assessment produced by the Linkmerica Research Team. Informational only — not financial advice.
At a Glance
HIGH RISKOfficial Product Page (External)
Affiliate disclosure: Linkmerica may earn a commission on purchases through this link at no additional cost to you. This does not influence LISR scores or risk tiers.
Key Risk Flags
- Closed-source firmware with no reproducible builds
- No secure element - general ARM processor used for cryptographic operations
- Chinese supply chain with no disclosed independent manufacturing audit
- Mobile app dependency creates additional attack surface
- No Common Criteria or FIPS certification for institutional compliance
Category Breakdown
Score range 0.0–10.0. Lower score = lower risk in that category.
| Category | Score | Assessment |
|---|---|---|
| Security Architecture | 6.5 / 10.0 |
|
| Firmware Integrity | 7.8 / 10.0 |
|
| Supply Chain Risk | 7.2 / 10.0 |
|
| Key Management | 5.5 / 10.0 |
|
| Operational Security | 5.8 / 10.0 |
|
| Recovery Risk | 3.5 / 10.0 |
|
Category breakdown reflects several structural risk properties assessed under the LISR framework. Weights and methodology are proprietary.
Analyst Notes
ELLIPAL Titan Mini 2 presents a mixed institutional custody risk profile. The air-gap architecture provides genuine isolation from network-based attacks, which is a significant security advantage. However, the absence of a secure element, closed-source firmware, Chinese supply chain concentration, and mandatory mobile app dependency create substantial risk factors for institutional custodians. Institutional custodians with strict compliance requirements — including FIPS certification, reproducible builds, and supply chain transparency — will find material gaps in ELLIPAL's public disclosures. The HIGH risk tier reflects these institutional compliance and verification limitations rather than consumer-focused security, where the device performs adequately. Recovery portability via BIP-39 is a notable strength, allowing institutional exit strategies. QUANTUM READINESS NOTE: As of June 2026, Linkmerica's monitoring has not identified a public quantum readiness statement, post-quantum cryptography roadmap, or migration plan from ELLIPAL. The device uses standard elliptic curve cryptography vulnerable to Shor's algorithm on a 2029-2035 Q-Day timeline. The ARM-based architecture (no dedicated secure element) may support firmware-level post-quantum algorithm implementation, but no timeline or commitment has been publicly disclosed. The June 22, 2026 executive orders (EO 14412, EO 14413) establishing federal PQC deadlines of 2030-2031 create a compliance reference point that institutional holders should factor into custody planning. ELLIPAL's quantum readiness posture will be formally assessed under the LISR Quantum Resistance Readiness dimension in a subsequent scoring session.
Produced by: The Linkmerica Research Team · LISR v1.0 · Period: 2026-07 · Node: LM-NODE-01
Quantum Resistance Assessment
QRR CRITICAL| QRR Category | Score | Risk Bar |
|---|---|---|
| Post Quantum Algorithm Support | 9.5 | |
| Migration Roadmap | 9.5 | |
| Firmware Upgrade Path | 7.0 | |
| Key Migration Tooling | 9.0 | |
| Regulatory Alignment | 8.5 |
LISR Framework — Score Tiers
| Score Range | Risk Tier | Institutional Guidance |
|---|---|---|
| 0.0 – 3.5 | LOW | Suitable for institutional consideration with standard diligence |
| 3.6 – 6.0 | MODERATE | Requires additional controls or policy mitigations |
| 6.1 – 8.0 | HIGH | Significant risk factors — limited institutional suitability |
| 8.1 – 10.0 | CRITICAL | Not recommended for institutional custody use |
What This Rating Covers
- Security architecture and cryptographic implementation
- Firmware integrity, transparency, and update controls
- Supply chain provenance and anti-tamper mechanisms
- Key management, entropy quality, and recovery standardisation
- Operational security controls and physical attack resistance
Limitations
- Product security posture can change with firmware or hardware updates.
- User operational security dominates many real-world loss outcomes.
- Internal scoring weights and evidence methodology are proprietary.
- This is not financial advice and Linkmerica does not provide custody services.
FAQ
What does the Linkmerica ELLIPAL LISR rating represent?
A deterministic, versioned institutional custody risk assessment. Lower scores indicate lower risk. Informational only — not financial advice.
Does a lower LISR score mean funds cannot be lost?
No. Loss can still occur due to phishing, compromised recovery material, user procedural failures, or device tampering.
Does Linkmerica provide custody services or financial advice?
No. Linkmerica does not provide custody services and does not provide financial advice.
How often can the LISR rating change?
Ratings are versioned and locked at publication. New versions are issued following material firmware updates, security incidents, or scheduled review periods.