What Happened
On Tuesday, April 21, 2026, Coinbase's Independent Advisory Board on Quantum Computing and Blockchain published its first position paper, a 50-page document establishing a baseline assessment of quantum risk to digital assets and a roadmap for industry response. The board was assembled in January 2026. Its members include Scott Aaronson, Director of the Quantum Information Center at the University of Texas at Austin and one of the field's most cited researchers. Dan Boneh, the Stanford cryptography professor who co-directs the Stanford Center for Blockchain Research. Justin Drake, the Ethereum Foundation researcher leading post-quantum work on Ethereum's roadmap. Sreeram Kannan, the founder of EigenLayer. Yehuda Lindell, Coinbase's own Head of Cryptography and a globally cited authority on secure multiparty computation. Dahlia Malkhi, head of the UCSB Foundations of Fintech Research Lab.
The paper's core conclusion is direct: digital assets are safe today, but a fault-tolerant quantum computer capable of breaking blockchain cryptography will eventually be built. Coinbase Chief Security Officer Phillip Martin: 'Your crypto is safe today. But a quantum computer capable of threatening blockchain cryptography will eventually be built, and the industry needs to start preparing now, not when it's urgent.' The board members' specific recommendation: begin migration planning immediately, communicate timelines publicly, and avoid the failure mode of waiting until the threat is no longer theoretical.
Why 6.9 Million BTC Is the Number That Matters
The paper's most concrete claim is the 6.9 million BTC figure. That number represents Bitcoin sitting in addresses where the public key is already exposed on-chain. Any address that has ever spent funds has broadcast its public key as part of the spend transaction. Once exposed, that public key becomes the input to Shor's algorithm. A sufficiently powerful quantum computer can derive the corresponding private key in polynomial time, where a classical computer would need centuries. The 6.9 million figure is roughly 33% of all 19.8 million BTC currently in circulation. It includes coins from Bitcoin's earliest era using pay-to-public-key (P2PK) format, before pay-to-public-key-hash (P2PKH) became standard. Satoshi-attributed addresses, estimated at roughly 1.1 million BTC, fall in this category.
The remaining BTC, sitting in addresses that have never been spent from, is structurally safer in the short term because the public key is hashed and not yet revealed. The hash provides quantum resistance until the moment of first spend. This creates an awkward incentive structure: the safest BTC is the BTC that has never moved, which is also the BTC most likely to belong to inactive wallets, lost keys, or holders who have stopped engaging with the network. Active users, by definition, expose their keys every time they transact. The 6.9 million figure is a snapshot. Without intervention, the exposed pool grows every time anyone spends from a non-quantum-safe address.
The Migration Problem Is Not Mostly Cryptographic
NIST has already standardized several quantum-resistant cryptographic schemes including ML-DSA (formerly Dilithium), SLH-DSA (formerly SPHINCS+), and Falcon. The cryptographic primitives exist and have been peer-reviewed for years. The hard problem is deployment. Post-quantum digital signatures are tens to hundreds of times larger than the ECDSA signatures Bitcoin uses today. The Coinbase paper estimates block data sizes could grow by up to 38x if a naive migration were performed. That would directly impact transaction fees, node storage requirements, and network throughput. It would also affect every piece of infrastructure built around Bitcoin's current signature size: hardware wallets, mining pools, payment processors, custody systems.
There is no central authority to coordinate the migration. Bitcoin's upgrade path requires social consensus among miners, node operators, exchanges, custodians, and individual users. Every wallet holder must take action to migrate their funds from a quantum-vulnerable address to a quantum-safe one. Custodial venues including Coinbase, BlackRock IBIT (which holds 802,823 BTC at Coinbase Custody), and Strategy (815,061 BTC across institutional custodians) face the migration question first because they hold concentrated supply at known addresses. Self-custody holders face it individually, on their own timeline, with their own tooling. The board's recommendation that the industry communicate timelines publicly is partly an acknowledgment that no single entity can solve this on behalf of others.
Why a Bad Migration Is a Centralization Argument
The Coinbase paper does not say this directly, but the structural implication is unavoidable: how this migration is handled determines whether Bitcoin remains sovereign money or becomes a custodial asset by default. A custodian holding millions of coins at known addresses can coordinate a migration in a single internal upgrade cycle. Coinbase can move all customer balances to quantum-safe addresses on a defined schedule, with internal engineering resources and no need for individual customer action. BlackRock can do the same for IBIT. Strategy can do it for the corporate treasury. Every institutional holder will move first because they have the engineering bandwidth, the legal mandate, and the concentrated control to do it.
Self-custody holders move on individual timelines, with individual tooling, and individual responsibility for getting it right. The user who runs Sparrow on a laptop and signs with a hardware wallet will need a firmware update that supports quantum-safe signatures, a wallet update that knows how to construct the new transaction format, and the discipline to actually execute the migration before any deadline. Some users will. Many will not. The ones who do not will eventually face one of three outcomes: their coins get frozen by a protocol change like BIP-361, their coins get drained by whoever cracks ECDSA first, or they get herded into custodial rescue programs offered by exchanges and custody providers as the only practical migration path. Each of those outcomes makes Bitcoin more centralized than it is today.
This is the structural risk the Coinbase paper points at without naming. It is not 'quantum will break Bitcoin.' Bitcoin is not going to break. The risk is that quantum migration becomes the largest coordination event in Bitcoin's history, and the entities best equipped to coordinate it are exactly the entities whose growing custody share is already the network's primary centralization pressure. Who gets to move first when the rules change determines who controls the network on the other side of the change.
What This Means for You
If you self-custody Bitcoin and have ever spent from any of your addresses, those addresses are in the 6.9 million BTC vulnerable pool. The practical mitigation today is straightforward: use addresses only once, and when you do spend, send the change to a fresh address. This is the default behavior of every well-designed Bitcoin wallet (Sparrow, Specter, the major hardware wallets) and is the reason address reuse has been considered bad practice since 2013. If your wallet hygiene has been sloppy, the cost of fixing it now is one consolidating transaction to a fresh address. The cost of fixing it after a fault-tolerant quantum computer exists is your entire balance.
The deeper mitigation is preserving your ability to migrate without depending on a custodian. That means running a wallet stack you understand, with hardware that can receive firmware updates, with seed-phrase backups you control, and with the technical literacy to execute a quantum-safe migration when the tooling becomes available. The sovereignty thesis only holds if individual holders can keep control through a cryptographic transition without being forced into custodial rescue programs or emergency policy fixes. The work of keeping that option open starts now, not when the migration becomes urgent.
If you hold Bitcoin through Coinbase, BlackRock IBIT, Strategy MSTR, or any custodian, your exposure is whatever your custodian's migration plan turns out to be. Coinbase has now published a plan in outline. The other major custodians have not. For ETF holders specifically, the migration question has no clean answer: the ETF prospectus does not bind the custodian to any specific quantum-readiness timeline, and the ETF holder has no governance mechanism to force one. This connects directly to the BIP-361 proposal we covered last week, which would freeze legacy-format coins after a phased migration period. The Coinbase paper does not endorse BIP-361 specifically. It does endorse the underlying premise: voluntary migration with a defined deadline is more achievable than emergency migration after a quantum breakthrough.
What to Watch
Watch whether other major custodians (BlackRock, Fidelity, Strategy) publish their own quantum migration roadmaps in response. Watch the Bitcoin Core developer mailing list for movement on BIP-360 (Pay to Quantum Resistant Hash) and BIP-361 (the freeze proposal). Watch whether Ethereum's post-quantum roadmap moves from research to implementation timeline given the proof-of-stake exposure the Coinbase paper specifically called out. Watch hardware wallet manufacturers (Ledger, Trezor, Coldcard, BitBox, Blockstream Jade) for announcements on quantum-safe firmware. The migration is now a coordination problem with named participants and a public deadline window. Every major actor's response from this point forward becomes part of the historical record.