ELLIPAL — Institutional Custody Risk Rating

LISR assessment produced by the Linkmerica Research Team. Informational only — not financial advice.

At a Glance

HIGH RISK
LISR Score
6.4
out of 10.0
Risk Tier
HIGH
lower score = lower risk
Framework
LISR v1.0
versioned + locked
Period
2026-07
Confidence: HIGH
0.0 — LOW RISK 10.0 — CRITICAL RISK

Official Product Page (External)

Affiliate disclosure: Linkmerica may earn a commission on purchases through this link at no additional cost to you. This does not influence LISR scores or risk tiers.

Key Risk Flags

  • Closed-source firmware with no reproducible builds
  • No secure element - general ARM processor used for cryptographic operations
  • Chinese supply chain with no disclosed independent manufacturing audit
  • Mobile app dependency creates additional attack surface
  • No Common Criteria or FIPS certification for institutional compliance

Category Breakdown

Score range 0.0–10.0. Lower score = lower risk in that category.

Category Score Assessment
Security Architecture 6.5 / 10.0
Air-gap architecture via QR codes provides strong physical isolation from network threats, and metal-sealed tamper-evident casing offers hardware protection. However, absence of a ...
Firmware Integrity 7.8 / 10.0
Closed-source firmware with no reproducible builds presents significant verification challenges for institutional custody. While air-gapped QR updates provide isolation, inability ...
Supply Chain Risk 7.2 / 10.0
Manufactured entirely in China by ELLIPAL Ltd with no disclosed diversification or independent supply chain auditing. Tamper-evident sealing provides post-manufacture assurance but...
Key Management 5.5 / 10.0
Standard BIP-39 implementation provides interoperability and recovery portability. However, lack of secure element means private keys exist in general processor memory without hard...
Operational Security 5.8 / 10.0
Mandatory mobile app dependency (iOS/Android) introduces additional attack vectors beyond the hardware device itself. Air-gap model limits remote exploitation but increases operati...
Recovery Risk 3.5 / 10.0
Standard BIP-39 recovery provides excellent portability to other wallet systems, reducing vendor lock-in risk. Physical tamper detection with auto-wipe protects against unauthorize...

Category breakdown reflects several structural risk properties assessed under the LISR framework. Weights and methodology are proprietary.

Analyst Notes

ELLIPAL Titan Mini 2 presents a mixed institutional custody risk profile. The air-gap architecture provides genuine isolation from network-based attacks, which is a significant security advantage. However, the absence of a secure element, closed-source firmware, Chinese supply chain concentration, and mandatory mobile app dependency create substantial risk factors for institutional custodians. Institutional custodians with strict compliance requirements — including FIPS certification, reproducible builds, and supply chain transparency — will find material gaps in ELLIPAL's public disclosures. The HIGH risk tier reflects these institutional compliance and verification limitations rather than consumer-focused security, where the device performs adequately. Recovery portability via BIP-39 is a notable strength, allowing institutional exit strategies. QUANTUM READINESS NOTE: As of June 2026, Linkmerica's monitoring has not identified a public quantum readiness statement, post-quantum cryptography roadmap, or migration plan from ELLIPAL. The device uses standard elliptic curve cryptography vulnerable to Shor's algorithm on a 2029-2035 Q-Day timeline. The ARM-based architecture (no dedicated secure element) may support firmware-level post-quantum algorithm implementation, but no timeline or commitment has been publicly disclosed. The June 22, 2026 executive orders (EO 14412, EO 14413) establishing federal PQC deadlines of 2030-2031 create a compliance reference point that institutional holders should factor into custody planning. ELLIPAL's quantum readiness posture will be formally assessed under the LISR Quantum Resistance Readiness dimension in a subsequent scoring session.

Produced by: The Linkmerica Research Team  ·  LISR v1.0  ·  Period: 2026-07  ·  Node: LM-NODE-01

Quantum Resistance Assessment

QRR CRITICAL
LISR QRR v1.0 · Scored June 28, 2026 · Federal reference: EO 14412 / 14413
QRR Score
8.7
/ 10.0
Risk Tier
CRITICAL
higher = higher risk
Federal Deadline
2030–2031
EO 14412 mandate
0.0 LOW RISK 10.0 CRITICAL
QRR CategoryScoreRisk Bar
Post Quantum Algorithm Support 9.5
Migration Roadmap 9.5
Firmware Upgrade Path 7.0
Key Migration Tooling 9.0
Regulatory Alignment 8.5
Analyst Note: ELLIPAL faces compounded quantum vulnerability from lack of secure element, absence of PQC roadmap, and air-gapped QR update model complexity. Chinese supply chain adds regulatory uncertainty in post-EO 14412 environment. ARM processor capable of updates but PQC implementation path unclear without secure element for cryptographic acceleration.
Based on publicly available information as of June 2026. EO 14412 mandates federal PQC migration by December 31, 2030. Linkmerica published independent quantum custody risk research on June 15, 2026 — one week before federal policy validated the same thesis.
Read the full Quantum Readiness Gap brief →

LISR Framework — Score Tiers

Score Range Risk Tier Institutional Guidance
0.0 – 3.5LOWSuitable for institutional consideration with standard diligence
3.6 – 6.0MODERATERequires additional controls or policy mitigations
6.1 – 8.0HIGHSignificant risk factors — limited institutional suitability
8.1 – 10.0CRITICALNot recommended for institutional custody use

What This Rating Covers

  • Security architecture and cryptographic implementation
  • Firmware integrity, transparency, and update controls
  • Supply chain provenance and anti-tamper mechanisms
  • Key management, entropy quality, and recovery standardisation
  • Operational security controls and physical attack resistance

Limitations

  • Product security posture can change with firmware or hardware updates.
  • User operational security dominates many real-world loss outcomes.
  • Internal scoring weights and evidence methodology are proprietary.
  • This is not financial advice and Linkmerica does not provide custody services.

FAQ

What does the Linkmerica ELLIPAL LISR rating represent?

A deterministic, versioned institutional custody risk assessment. Lower scores indicate lower risk. Informational only — not financial advice.

Does a lower LISR score mean funds cannot be lost?

No. Loss can still occur due to phishing, compromised recovery material, user procedural failures, or device tampering.

Does Linkmerica provide custody services or financial advice?

No. Linkmerica does not provide custody services and does not provide financial advice.

How often can the LISR rating change?

Ratings are versioned and locked at publication. New versions are issued following material firmware updates, security incidents, or scheduled review periods.

Back to homepage