Coin Metrics: Comprehensive Quantum Risk Assessment for Cryptocurrencies

Author: Tanay Ved, Senior Research Analyst at Coin Metrics; Translation: @GoldFinanceXZ

Summary

• Although quantum computers currently do not pose an immediate threat to blockchain cryptography, recent technological breakthroughs have significantly shortened the response window, prompting the industry to enter an active preparedness phase.

• It is estimated that approximately 6.9 million BTC are at risk of quantum attacks due to the use of legacy address types and key reuse, including about 1.7 million BTC (9% of supply) stored in dormant coins from the Satoshi era that are difficult to migrate.

• Quantum risks vary depending on blockchain address structures, signature schemes, and consensus models. Ecosystems are actively advancing proposals and post-quantum roadmaps to adopt new signature solutions.

1. Introduction

The rapid development of quantum computing is turning once-distant theoretical possibilities into concrete challenges faced by blockchain cryptography. Recent research by Google’s Quantum AI team shows that the resources and time needed to build quantum computers capable of breaking elliptic curve cryptography used by Bitcoin and other blockchains are shrinking. Coinbase’s Quantum Advisory Committee also notes that, although such machines have not yet been developed, the window for migrating to quantum-resistant cryptography has opened.

As this risk approaches, developers, network participants, investors, and large token holders will play key roles in guiding decentralized ecosystems toward a quantum-resistant future.

In this article, we will analyze the risks quantum computing poses to blockchain encryption, focusing on Bitcoin’s exposure, debates around dormant coins, and current paths taken by Ethereum and Solana to prepare for post-quantum security.

2. Understanding the Imminent Quantum Risk

Blockchain security relies on cryptographic signatures that are difficult for classical computers to crack but could be broken by quantum computers. Currently, Bitcoin, Ethereum, and most other networks use elliptic curve signatures (such as ECDSA and BLS) to prove ownership of private keys and authorize transactions. In principle, quantum algorithms like Shor’s algorithm can derive private keys from public keys, meaning that once such machines are available, addresses with exposed public keys could become targets.

This risk manifests mainly in two forms, depending on whether the public key has been revealed in transactions:

• Static (long-term) attacks: Target wallets, validator keys, and contracts whose public keys are already visible on-chain. Future quantum computers could derive private keys and steal funds even if the owner has not performed any new operations.

• Dynamic (short-term) attacks: Exploit the brief window between when a public key is exposed through spending and when the transaction is confirmed. Fast quantum computers could sign conflicting transactions faster than the network, especially given Bitcoin’s approximately 10-minute block time, which creates a longer exposure window compared to faster chains like Ethereum (~12 seconds) or Solana (sub-second finality).

3. Bitcoin’s Quantum Exposure

Bitcoin’s quantum risk mainly exists at the wallet level, depending on how UTXO models and address types handle public keys. Each unspent transaction output (UTXO) is locked by a script tied to a public/private key pair. As long as the public key remains hidden, quantum attackers find it difficult to attack. But once the key is exposed on-chain, future quantum computers could derive the private key and forge valid spends.

Therefore, Bitcoin’s risk hinges on whether the public key has been revealed, with the level of risk varying by address type and reuse:

• P2PK (Pay-to-Public-Key): Contains coins from the Satoshi era, early miners, and Satoshi himself. These addresses are most vulnerable because their public keys are explicitly visible on the ledger, making them targets for static attacks.

• Reused P2PKH (Pay-to-Public-Key-Hash): These addresses initially keep the public key hidden, but it is revealed when the address is spent. Remaining balances in such addresses are at higher risk.

• Reused P2SH (Pay-to-Script-Hash): These addresses hide scripts before spending, but often involve long-term key reuse, exposing multiple public keys once spent.

• P2WPKH/P2WSH (SegWit): Native SegWit outputs hide the public key behind a hash before spending, and typically use new, non-reused addresses, so they are relatively safer outside the brief spending window.

• P2TR (Taproot): These addresses embed the tweaked public key directly, enhancing privacy and flexibility, but also making the public key visible from the start, thus presenting an immediate attack target for quantum adversaries.

The diagram below illustrates the evolution of address types in Bitcoin history, highlighting the shift from traditional P2PK/P2PKH to SegWit outputs. This transition gradually moves new coins into address formats with lower quantum risk exposure.

4. How Much Bitcoin Is at Risk?

According to the white paper on quantum computing released by Project Eleven and Google in March, about 6.9 million BTC are stored in addresses with exposed public keys. This exposure results from using legacy P2PK outputs (whose public keys are visible from creation) or address reuse (where public keys are permanently broadcast upon spending).

Using Coin Metrics’ ATLAS system, we scanned the first 500k Bitcoin blocks and confirmed approximately 2.3 million BTC are stored in high-risk addresses, with about 1.7 million likely originating from Satoshi-era and early miner outputs. The remaining roughly 4.6 million high-risk BTC are mainly found in blocks created after 2017. As address type adoption trends show, traditional P2PKH addresses continue to be generated, and since SegWit and Taproot, address reuse has increased annually.

5. The Dormant Coins Dilemma

A core debate around quantum risk concerns the fate of dormant Bitcoin and Satoshi’s holdings. About 1.7 million BTC (9% of total supply) have not moved since early days and are stored in legacy address types with exposed or soon-to-be-exposed public keys. This includes roughly 1.1 million BTC associated with Satoshi, spread across about 22k addresses (each holding around 50 BTC), rather than a single wallet.

These “Satoshi-era” coins pose a unique challenge. Since they cannot be actively migrated, deciding whether and how to protect them is one of Bitcoin’s most contentious coordination issues. Proposed solutions include doing nothing, freezing assets, destroying tokens, or imposing spending rate limits.

The risk exposure among dormant coins is uneven. As shown in the chart, most are in P2PK outputs (about 1.7 million BTC across 34k addresses), representing the highest risk from a quantum perspective. Other dormant assets are more dispersed: about 410k BTC in 550 large addresses (holding over 100 BTC each), and roughly 110k BTC held across nearly 20k smaller accounts.

Quantum risk thus splits into two categories: the high-risk P2PK outputs from the Satoshi era, which are highly exposed but dispersed across many small addresses; and high-value wallets with key reuse that expose public keys, such as exchange cold wallets, which are more attractive targets but can be more actively migrated.

6. Quantum Risks on Other Blockchains

Quantum risk also varies depending on network address structures, signature schemes, and governance models. As observed, Bitcoin’s main exposure is at the wallet and UTXO layer—legacy address types lead to public key exposure, but proof-of-work (PoW) mining and hash functions remain largely secure.

In contrast, blockchains like Ethereum and Solana use account models. In these models, externally owned accounts (EOAs) reveal their public keys immediately after initiating a transaction, making a larger proportion of assets vulnerable. Many tokens on Bitcoin are still protected by hashes, with less address reuse. Additionally, PoS chains like Ethereum and Solana rely on elliptic curve signatures for validator security, adding further risk.

This makes governance capacity and consensus on upgrades critical. Different network features and degrees of decentralization will influence how quickly they adopt post-quantum upgrades.

7. Post-Quantum Proposals and Migration Paths

Bitcoin

Protecting Bitcoin from quantum threats centers on enabling quantum-resistant signatures and migrating tokens to secure address types. This involves the challenge of migrating “dormant” assets, which is at the heart of Bitcoin governance trade-offs. Current proposals include:

• BIP-360 proposes a new type of pay-to-Merkle root output, removing key-path spending so scripts can keep public keys off-chain until use, reducing long-term quantum risk.

• Researchers like Jameson Lopp propose BIP-361, recommending phased elimination of vulnerable signature types over the coming years. This plan would first ban new deposits to high-risk address types and eventually freeze un-migrated tokens, including Satoshi holdings, citing future quantum attack defenses.

• To address controversy over freezing dormant coins (“Satoshi’s problem”), Paradigm suggests a verifiable address control timestamp scheme, allowing holders to privately generate proof of current address control without moving assets. This enables future quantum defenses to unfreeze tokens that would otherwise be frozen.

Ethereum and Solana

Ethereum and Solana are taking different but proactive approaches. Ethereum has assembled a dedicated post-quantum research team and released a roadmap centered on account abstraction, aiming to introduce new signature schemes that validators and users can gradually adopt—such as hash-based or lattice-based signatures.

Solana’s validator teams, Anza and Firedancer, are focusing on Falcon—a lattice-based signature scheme certified by NIST—and have outlined a three-phase plan: first enabling quantum-resistant keys, then incentivizing key rotation, and finally completing a full migration when quantum risks become explicit.

8. Conclusion

While the timeline of quantum computing’s threat to blockchain cryptography remains uncertain, its potential impact is becoming more tangible. Although no large-scale quantum machines currently exist to break elliptic curve signatures, recent technological progress has shifted industry discussions from distant theory to active planning. Communities are building migration paths, testing new signature schemes, and debating how to safeguard asset value. For investors and network participants, quantum risk is a long-term tail risk rather than an immediate crisis, but its severity is enough to motivate preemptive coordination and action.