The Most Credible Quantum Threat Assessment the Industry Has Produced
When six of the world's leading cryptographers — including professors from Stanford, the University of Texas at Austin, and UC Santa Barbara, alongside researchers from the Ethereum Foundation and Eigen Labs — publish a joint assessment of the quantum threat to blockchain, the industry should pay attention. The Coinbase Independent Advisory Board report, published in April 2026, represents the most rigorous, data-backed analysis of quantum risk to cryptocurrency networks produced by a mainstream industry body. Its conclusions are not alarmist. They are methodical, specific, and — for anyone who has been assuming there is time to wait — sobering.
6.9 Million Bitcoin With Exposed Public Keys
The most immediately striking figure in the report is the exposure count. The panel identifies approximately 6.9 million Bitcoin held in wallets whose public keys are already visible on-chain. These are not theoretical future exposures. They are addresses that have already sent at least one transaction — and in doing so, published the public key that a sufficiently powerful quantum computer running Shor's algorithm could use to derive the corresponding private key.
Within that 6.9 million figure sits a harder subset: roughly 1.7 million Bitcoin in old Pay-to-Public-Key (P2PK) format addresses — the early Bitcoin address format used by Satoshi and others in the network's first years, where funds were locked directly to raw public keys rather than public key hashes. These addresses offer no additional quantum protection from a newer address format. Their public keys have been on-chain since the transactions that created them, and there is no mechanism by which the owners can migrate without initiating a spend — which requires knowing the private key and actively moving the funds.
The panel also highlights eleven large addresses that collectively concentrate approximately one million Bitcoin. Because of their size and age, these addresses serve a secondary function in the panel's threat model: they can act as quantum canaries. If any of these eleven addresses ever shows unexpected movement that cannot be attributed to a known owner, it provides strong evidence that a capable quantum attacker has begun operational cracking — an early warning that would otherwise be invisible.
The Three Engineering Milestones Nobody Has Hit Yet
The panel is careful not to predict when a cryptographically relevant quantum computer will exist. Instead, they identify three specific engineering milestones that must be achieved before such a machine is possible. As of the report's publication date, none of the three have been demonstrated at the required scale:
- Fault-tolerant two-qubit gates reliable at scale. Current leading systems from Google and Quantinuum have demonstrated approximately 99.9% two-qubit gate accuracy on around one hundred physical qubits. The question is whether this accuracy holds as systems scale to the hundreds of thousands of qubits required for cryptographically relevant computations — and the answer is not yet known.
- Successful execution of Shor's algorithm on small numbers. Shor's algorithm has been demonstrated on trivial inputs in laboratory settings, but never at a scale that provides any meaningful cryptographic proof of concept. A demonstration on even a modestly large number would represent a watershed milestone that the community would recognize immediately.
- A single logical qubit maintained indefinitely through quantum error correction. Maintaining a logical qubit coherently through the millions of operations required for a Shor's attack demands error correction sustained at a scale no existing system has achieved. This is the deepest unsolved engineering challenge in the field.
The absence of these milestones does not mean the threat is distant. It means the trajectory of hardware development is the key variable — and the trajectory has been consistently compressing the timeline with each passing year of research.
The Signature Size Problem: 38× Overhead
Even setting aside the question of when quantum hardware arrives, the panel's analysis of how existing blockchains would respond to the threat reveals a set of structural problems that are genuinely difficult to solve.
The most concrete is signature size. Current Bitcoin transactions use ECDSA signatures of 64 bytes. The NIST-standardised post-quantum signature scheme ML-DSA (formerly Dilithium) produces signatures of approximately 2,420 bytes — 38 times larger. Hash-based alternatives like SLH-DSA (formerly SPHINCS+) can exceed 17,000 bytes per signature, with signing operations that are thousands of times slower than ECDSA.
For a payment network, this is not a minor inefficiency. At Bitcoin's current transaction volume, a naive migration to ML-DSA would roughly quadruple average transaction sizes and fees. At higher volumes, or on networks with more complex transaction patterns, the impact is worse. The economics of running a full node change substantially. Block propagation times increase. The bandwidth requirements for the peer-to-peer network expand. These are solvable problems, but they require architectural responses — not just an algorithm swap.
The panel notes a particular gap for Ethereum: there is currently no post-quantum equivalent for BLS signature aggregation, the cryptographic technique that compresses approximately one million Ethereum validator votes into a small, efficient proof. Existing post-quantum alternatives for aggregated signatures require interactive communication between signers, adding coordination overhead that does not exist in the current BLS design. Ethereum's post-quantum migration roadmap has to solve this problem from scratch, and no solution has yet been standardised.
What the Industry Is Actually Doing
The report surveys the current state of quantum migration across major blockchain networks, and the picture is mixed. Several networks have begun taking concrete steps; others have proposals but no implementation; and the overall pace remains slower than the panel believes is appropriate given the compressing timeline.
Algorand is the most advanced of the major networks, having already executed the first post-quantum transaction on a main network. This is a genuine engineering milestone — not a testnet demonstration, but a live mainnet transaction using a quantum-resistant signature scheme.
Ethereum has elevated post-quantum security to a top strategic priority, forming a dedicated research team and outlining a detailed roadmap that involves hash-based signatures and SNARK-based proof aggregation to replace BLS. The roadmap is technically ambitious and does not yet have a firm delivery timeline, but it represents serious architectural engagement with the problem.
Bitcoin has a more cautious approach, as might be expected from a network that prioritises stability and backwards compatibility above most other considerations. BIP-360, a proposal for allowing wallets to hide their public keys — a partial mitigation that reduces new exposure without migrating existing exposed addresses — has been proposed but not yet activated. The governance process for any Bitcoin protocol change is slow by design.
Solana has introduced a new quantum-resistant wallet type, and Aptos has plans for single-transaction authentication key swapping. Optimism has taken the bold step of specifying a concrete migration flag day: January 2036, after which only post-quantum addresses will be valid on the network.
The panel commends the Optimism approach precisely because it sets a concrete deadline. Without one, migration tends to drift — each network operator, exchange, and wallet provider has an incentive to wait for others to move first. A flag day removes the coordination problem by making inaction the more expensive choice.
The Governance Dilemma: Flag Day or Indefinite Coexistence
Perhaps the most difficult analysis in the report concerns what to do about wallets whose owners do not — or cannot — migrate before quantum hardware arrives. This is not a marginal concern. In any realistic migration scenario for Bitcoin or Ethereum, a meaningful fraction of addresses will never migrate: lost keys, dead owners, abandoned holdings, dormant institutional custody accounts, wallets with inaccessible private keys.
The panel outlines the two available paths, and neither is comfortable.
Path one is a hard flag day. The network sets a deadline. After that date, funds in non-migrated wallets are permanently locked — effectively destroyed, or forfeited to a protocol treasury or burn address. This solves the quantum drain problem, but it destroys the assets of every wallet owner who missed the announcement, misunderstood the technical requirement, or simply no longer has access to their private key. On a network with hundreds of millions of users and a sixteen-year history of wallet creation, the collateral damage from a hard flag day could be substantial.
Path two is indefinite coexistence. The network allows both quantum-vulnerable and quantum-resistant wallets to exist simultaneously. This protects current holders from forced migration, but it accepts that once quantum hardware arrives, an attacker can drain any remaining non-migrated wallet at will. The systematic drainage of exposed wallets would represent a permanent, ongoing liquidity bleed — with each cracked wallet sending funds to a quantum-capable adversary who then converts to fiat, permanently removing liquidity from the network.
The panel's proposed middle path — capping spending rates from Satoshi-era wallets and using them as quantum canary addresses — is an elegant partial solution. But it does not resolve the fundamental dilemma for the millions of ordinary wallets that sit between the earliest P2PK outputs and the fully modern address formats.
What This Means for Networks Built After the Threat Was Understood
The panel's conclusion is worth quoting: the time to start preparing is now, not when urgency arrives. But what that means in practice depends entirely on what you are building.
For existing networks, preparation means executing difficult protocol upgrades under governance constraints, coordinating with thousands of independent validators and wallet developers, and making hard choices about the fate of unmigrated funds — all on a timeline that is compressing faster than most roadmaps anticipated.
For networks designed after the quantum threat was well understood, the calculation is different. The architectural choices that create the migration problem on Bitcoin and Ethereum — static public keys, persistent address reuse, monolithic signature schemes — were made before quantum computing was a meaningful design constraint. A network built from genesis with quantum resistance as a core requirement does not inherit those choices, and therefore does not inherit the migration problem.
TADEQS, QuanChain's wallet architecture, reflects this principle directly. Every wallet on QuanChain uses a parent/child key structure in which no public key is ever published on-chain. Funds are locked against address hashes — not public keys — and the SpendAndRotate mechanism ensures that the signing key used to authorise any transaction is immediately retired. There is no public key in the historic chain record for a quantum computer to harvest. The Coinbase panel's core concern — millions of addresses with permanently exposed public keys — structurally cannot occur on a network where public key publication was eliminated at the protocol design stage.
The panel's report is a landmark contribution to the industry's understanding of the threat. Its most important finding may be the simplest: the governance, signature size, and coexistence problems are real, they are hard, and they cannot be fully solved by retrofitting. The window to choose an architecture that does not have these problems was before genesis. For chains building now, that window remains open.
Frequently Asked Questions
How many Bitcoin are currently vulnerable to quantum attack?
The Coinbase Independent Advisory Board report identifies approximately 6.9 million Bitcoin held in wallets with publicly visible keys — representing roughly 33% of circulating supply. Within this, approximately 1.7 million Bitcoin sit in the oldest Pay-to-Public-Key format, where the public key has been permanently on-chain since the original transaction. Additionally, eleven large addresses collectively holding around one million Bitcoin are identified as potential quantum canary indicators whose unexpected movement would signal a capable quantum attacker has become operational.
What are the three milestones required before a quantum computer can attack blockchain?
The panel identifies three specific engineering thresholds: fault-tolerant two-qubit gates that remain reliable as systems scale to hundreds of thousands of qubits, a successful demonstration of Shor's algorithm on a meaningful-size number, and sustained maintenance of a single logical qubit through quantum error correction for the duration of a full cryptographic attack. As of the report's publication, none of these milestones have been achieved at the required scale.
Why is migrating to post-quantum cryptography so hard for existing blockchains?
Three structural problems compound each other. First, post-quantum signatures are 38 to 270 times larger than current ECDSA signatures, raising storage, bandwidth, and fee costs significantly. Second, for Ethereum specifically, no post-quantum equivalent exists for BLS signature aggregation, which is fundamental to how Ethereum's one million validators operate efficiently. Third, any migration leaves behind a long tail of addresses that cannot be migrated — lost keys, dormant wallets, deceased holders — creating a permanent quantum drain risk that requires a difficult choice between a hard flag day that destroys those funds or indefinite coexistence with an ongoing attack surface.
Is blockchain mining also vulnerable to quantum computers?
Bitcoin's proof-of-work mining uses SHA-256 hash functions, which are affected by Grover's algorithm rather than Shor's. Grover's algorithm provides a quadratic rather than exponential speedup, meaning a quantum miner would have roughly a square-root advantage over classical miners — significant but not catastrophic. The panel describes mining as effectively quantum-safe for the foreseeable future. The primary quantum threat is to the signature layer, not the mining layer.
