Coinbase has identified approximately 20,000 public keys potentially exposed to quantum computing threats, revealing a concrete number of holdings at risk as the blockchain industry prepares for a post-quantum reality. A document authored by the Coinbase Independent Advisory Board on Quantum Computing and Blockchain, dated June 8, 2026, details concerns surrounding and the challenges of migrating to post-quantum secure cryptography. The board, comprised of professors affiliated with UT Austin, Stanford, UCSB, Eigen Labs, University of Washington, and Bar-Ilan University, alongside representatives from the Ethereum Foundation and Coinbase, emphasizes that preparation should begin now, regardless of precise timelines for quantum computer development. According to Project11, the number of bitcoins that are vulnerable due to address reuse is currently about 5 million, with approximately 1.7 million Bitcoin spread across these vulnerable keys, many presumed to belong to Satoshi Nakamoto or owners who have lost access.
Bitcoin’s P2PK and P2PKH Addresses Vulnerability to Quantum Attacks
While acknowledging quantum computers do not currently pose a threat, the report stresses the urgency of preparation, shifting the focus from predicting when quantum attacks will occur to how to mitigate them. The assessment examines the vulnerabilities inherent in Bitcoin’s address types, specifically highlighting the risk associated with P2PK, pay to public key, addresses. These early-generation addresses, totaling approximately 1.7 million Bitcoin, expose public keys directly, leaving them vulnerable to a cryptographically-relevant quantum computer. Many of these vulnerable keys exist, though the board admits there is “no way to confirm exactly how many of these have active owners.” In contrast, P2PKH outputs, which commit to a hash of the public key, offer a degree of protection, as an attacker would first need to discover the matching public key before exploiting the vulnerability.
However, the report notes that once a P2PKH output is spent, the public key is revealed, immediately exposing any future coins sent to that address. Beyond P2PK and P2PKH, other address types like Taproot also present exposed public keys, contributing to an estimated 5 million Bitcoin currently vulnerable due to address reuse, according to Project11. The board emphasizes that the discussion extends beyond Bitcoin, but the cryptocurrency’s size and the significant number of potentially lost coins make it a particularly critical case. Two primary positions are outlined regarding the handling of these vulnerable coins: burning them at a determined deadline or enabling post-quantum addresses while taking no further action.
The “burn” position argues that blockchains, like all cryptographic systems, must deprecate insecure algorithms, stating, “Once the cryptography is broken, this is no longer the case.” Allowing quantum-derived private keys to spend abandoned coins, they contend, would transfer value to illegitimate owners. Proponents of burning vulnerable coins suggest it could prevent a sanctioned state actor, like the DPRK, from obtaining very large amounts of bitcoin, potentially undermining market confidence. Conversely, the opposing position champions absolute property rights. This stance draws a parallel between burning coins and reversing the blockchain, arguing that both represent external influence over ownership, and warns against setting a precedent for network-level sanctions.
Thus, this position actually means “do nothing until a public quantum computer at a large-enough scale to break elliptic- curve cryptography is demonstrated”.
Coinbase Advisory Board on Post-Quantum Blockchain Migration
The potential of quantum computing looms large over the cryptographic foundations of blockchain technology, prompting proactive assessment and planning within the industry. This multi-institutional body recently published findings detailing vulnerabilities and outlining potential migration strategies, moving beyond theoretical risk to address concrete exposures. These aren’t abstract concerns; the board highlights the existence of approximately 1.7 million Bitcoin spread across about 20,000 public keys. The report notes the difficulty in quantifying the actual risk to current Bitcoin holders. According to Project11, the number of bitcoins that are vulnerable due to address reuse is currently about 5 million, though the board concedes this is largely conjecture. The advisory board frames the challenge as a two-pronged issue: the technical migration to post-quantum secure cryptography, and the governance question of what to do with coins that are not transferred to new, secure addresses. Two primary positions emerge from their deliberations.
The first advocates for a “burn” policy, where vulnerable coins are effectively rendered unusable after a defined deadline. The board argues that inaction by owners creates a systemic risk for those who have migrated. Alternatively, the board outlines a “do nothing” approach, enabling post-quantum addresses but allowing owners to retain the risk of quantum attack. This position raises concerns about potential precedent, warning that network-level confiscation, even for security reasons, could open the door to future external pressures for censorship and control. The board’s report, dated June 8, 2026, underscores that the transition to a post-quantum blockchain isn’t merely a technical challenge, but a complex governance issue with significant economic and ethical implications.
There are approximately 1.7 million Bitcoin spread across about 20,000 public keys that are of this form.
Burning Abandoned Coins After Post-Quantum Transition Deadline
Coinbase’s internal assessment of the looming quantum computing threat has sharpened focus on a contentious issue: what to do with potentially vulnerable, abandoned Bitcoin holdings. A significant point of concern revolves around approximately 1.7 million Bitcoin spread across roughly 20,000 public keys, vulnerable to a cryptographically-relevant quantum computer since public keys are exposed. The board’s report, dated June 8, 2026, highlights a concrete risk. Conversely, the second position champions a hands-off approach: enable post-quantum addresses but otherwise do nothing. They also point out the difficulty in determining negligence, as owners may face unforeseen circumstances preventing them from migrating their funds.
Thus, allowing quantum-derived private keys to spend abandoned coins would effectively transfer value to entities that were never the legitimate owners.
Quantum-Vulnerable Bitcoin & Potential Supply Increase
While quantum computers aren’t currently capable of breaking Bitcoin’s cryptography, proactive measures are deemed essential, shifting the focus from when a quantum threat will materialize to how the blockchain community should prepare. The core of the concern lies in the early architecture of Bitcoin, specifically P2PK, or pay to public key, addresses. These expose public keys directly, leaving around approximately 1.7 million Bitcoin vulnerable to attack should a cryptographically-relevant quantum computer exist. The board notes there are approximately 20,000 public keys of this form. Two distinct positions emerge regarding the handling of these potentially compromised coins. One proposes a “burn” mechanism, establishing a deadline after which quantum-vulnerable signatures would no longer be accepted, effectively forfeiting assets from inactive addresses. This approach aims to prevent a surge in circulating supply caused by recovered “lost” coins, potentially destabilizing the price and harming responsible owners who have migrated to post-quantum addresses.
The board proposes that inaction by owners creates a systemic risk for those who have migrated. Alternatively, the second position advocates enabling post-quantum addresses but taking no further action, asserting that owners should retain the right to accept the risk of quantum attacks. This stance cautions against setting a precedent for network-level confiscation, fearing potential pressure from governments and law enforcement for broader sanctions. The debate underscores the complex ethical and economic considerations surrounding the future of Bitcoin in a post-quantum world, demanding careful consideration of both technological solutions and governance frameworks.
If I, as an owner of Bitcoin, wish to take the risk that my funds are stolen by a quantum attacker, then that is my right.
Systemic Risk of Inaction & Responsible Asset Ownership
While a cryptographically-relevant quantum computer does not pose an immediate threat, the board’s report, dated June 8, 2026, highlights a concrete risk: approximately 20,000 public keys are already vulnerable, demanding proactive preparation rather than reactive response. This isn’t merely an abstract discussion of future possibilities; it’s a current vulnerability if a cryptographically-relevant quantum computer exists with implications for the stability of the entire ecosystem. These expose public keys directly, leaving around approximately 1.7 million Bitcoin vulnerable to attack. The board acknowledges the scale of potential disruption. Two distinct positions emerge regarding how to handle these vulnerable coins.
Their inaction creates a systemic risk and a negative externality for the rest of the network.
