30% of Bitcoin Is at Risk from Quantum Computing—Where Does It Come From?
TechFlow Selected TechFlow Selected
30% of Bitcoin Is at Risk from Quantum Computing—Where Does It Come From?
Exchanges experience declining quantum security year by year due to frequent fund flows and complex wallet architectures.
Navigating Web3 tides with focused insightsAuthor: Rafael Schultze-Kraft
Translated by: Chopper, Foresight News
Recent industry research has focused on a novel security vulnerability affecting Bitcoin: under current holding conditions, which Bitcoins are currently exposed to quantum risk? The core criterion for assessment is whether the public key associated with spent outputs has already been revealed on-chain. According to statistics, 6.04 million Bitcoins across the network are exposed to quantum risk—30.2% of the total supply—while the remaining 13.99 million Bitcoins (69.8%) remain held in addresses where their public keys have not yet been disclosed, and thus face no such risk. These figures broadly align with findings from recent studies.
We categorize this risk into two types. The first is structural risk: outputs whose script type inherently exposes the public key. The second is operational risk: cryptocurrencies that were initially protected but whose public keys have since been leaked due to address reuse, partial spending, custodial practices, or similar behaviors—even though the Bitcoins remain held at the same address.
Bitcoin supply distribution exposed to quantum risk, provided by Quantum Safety
Structurally risky Bitcoins amount to 1.92 million, representing 9.6% of the total supply; operationally risky Bitcoins total 4.12 million, accounting for 20.6% of the total supply. Of these, 1.63 million Bitcoins held in exchange custody alone underscore how critical proper wallet usage and custodial practices are in mitigating public-key exposure risk.
This article takes no position on timing or institutional safety: it neither forecasts when practical quantum attacks might become feasible nor evaluates the security or solvency of any custodian. Rather, it quantifies—purely from a data perspective—the current state of public-key exposure across the network, distinguishing between permanently high-risk assets and those whose risk can be reduced through improved wallet management and custodial protocols.
Understanding Public-Key Exposure Risk in Plain Terms
Bitcoin assets are controlled by private keys, while public keys are used by the network to verify the validity of signatures generated with those private keys. Under classical cryptography, deriving the private key from the public key alone is computationally infeasible—making assets sufficiently secure.
The threat posed by quantum computers lies in their potential to run Shor’s algorithm on cryptographically relevant hardware, enabling attackers to reverse-engineer the private key from a known public key. This transforms the on-chain problem into a straightforward one:
If the public key is already public, the cryptocurrency is already exposed. Attackers need not wait for the owner to move the coins—because the public key is already available. If the public key remains invisible on-chain, then—under this specific static storage model—the cryptocurrency is not currently exposed.
This article focuses specifically on asset risk during holding periods—that is, coins sitting idle but linked to already-exposed public keys. This differs from exposure during transfers: the latter only reveals the public key upon transaction broadcast and confirmation—a time-bound risk inherent to settlement; the former represents a precisely quantifiable, persistent risk. The term “safe assets” used herein refers solely to coins held without public-key exposure—not to assets universally resistant to all future quantum attack vectors.
Bitcoin supply distribution considered quantum-safe, provided by Quantum Safety
Structural Exposure: Inherently Vulnerable by Design
Risk in this category stems directly from address script format—not from user behavior—and inevitably exposes the public key on-chain. It includes early Satoshi-era P2PK addresses, traditional multisig P2MS addresses, and today’s dominant Taproot addresses. Though these address types differ in vintage and use case, they share one trait: they default to publishing the public key—or an equivalent identifier—on-chain. As long as the coins remain unspent, they remain potential targets.
We currently classify 1.92 million Bitcoins (9.6% of total supply) as structurally risky. These fall into three distinct subcategories:
Distribution of structurally risky Bitcoins
Satoshi- and early-block Bitcoins: These represent permanent structural risk. If lost or abandoned by inactive holders, migration to safer addresses is nearly impossible—unless global consensus triggers a protocol-level overhaul, they will remain perpetually exposed to quantum risk.
Taproot addresses: While designed for privacy, efficiency, and flexible smart contract functionality—not flawed by design—they do publish keys directly, creating quantum risk during holding periods.
The BIP-360 proposal P2MR scheme aims to retain Taproot’s benefits while eliminating high-risk key paths—mitigating this issue. However, it cannot automatically migrate existing Taproot assets and is not a definitive, quantum-proof solution.
In short, among the 1.92 million structurally risky Bitcoins, some are practically immovable; others can be gradually secured via new protocols and standards.
Operational Exposure: Security Gaps Caused by User Behavior
These addresses inherently protect privacy and do not expose public keys when first created. Only improper user actions—such as reusing addresses—lead to public-key disclosure during spending, thereby compromising all remaining balances tied to that key.
This is the address-reuse problem. Output types like P2PKH, P2SH, P2WPKH, and P2WSH hide public keys behind hashes while coins remain unspent. Yet once the public key is revealed during spending, all associated balances—including future ones—lose that protection.
Operational exposure constitutes the primary source of Bitcoin’s current quantum risk—totaling 4.12 million Bitcoins, over twice the volume of structurally risky coins. This confirms that most Bitcoin quantum risk today stems not from legacy script design flaws, but from poor key management and nonstandard address usage.
Within operationally risky holdings, exchange-custodied Bitcoins dominate—1.66 million coins, or 40% of all operationally risky balances. Data shows stark variation in exchange risk profiles: roughly half of Bitcoins held by labeled exchanges are vulnerable, versus less than 30% among non-exchange-held coins.
Supply distribution of operationally risky Bitcoins
Major institutional custodians show marked differences in exposure. Some maintain relatively low risk, while others hold disproportionately large balances in addresses with known public keys.
- Low risk: Coinbase—only 5% of custodied assets expose public keys; sovereign treasuries (U.S., U.K., El Salvador)—0% exposure
- Medium risk: Fidelity and CashApp—~2%; Grayscale—~50%
- High risk: Binance—85%; Bitfinex—100%; Robinhood and WisdomTree—100% exposure
Note: This data reflects only on-chain custodial footprint—not institutional risk ratings or solvency assessments.
Long-term trends show governments consistently maintaining >99% safe holding ratios. Exchanges, however, face higher turnover and more complex wallet architectures—leading safe-asset ratios to decline from 55% in 2018 to 45% today. Crucially, this risk is highly remediable: simple, consistent adherence to best practices—like avoiding address reuse and promptly sweeping change—can rapidly reduce exposure.
Distribution of operationally safe Bitcoins by entity type
Conclusion
Bitcoin’s quantum risk falls into distinct categories, each carrying different implications.
- Structural risk: Legacy coins are extremely difficult to migrate; newer protocols like P2MR offer a path to progressively mitigate risks in modern Taproot addresses;
- Operational risk: Larger in scale and more controllable—especially given the massive volume of exchange-held assets, which are amenable to broad-scale mitigation and migration.
Thus, securing Bitcoin against quantum threats goes beyond upgrading underlying network protocols. A substantial portion of today’s at-risk assets can be effectively de-risked through immediate, everyday operational adjustments. For exchanges and professional custodians, standardizing address usage, optimizing reserve allocations, minimizing key reuse, and implementing structured migration plans are not distant aspirations—they are actionable, near-term measures that meaningfully shrink quantum exposure.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@glassnode
