OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Intel· Quantum series· Apr 22, 2026· 6 min read

Coinbase's Quantum Board Flags 6.9 Million Bitcoin as Vulnerable

Coinbase's Independent Advisory Board on Quantum Computing and Blockchain published its first position paper Tuesday. The 50-page report, authored by researchers from Stanford, UT Austin, the Ethereum Foundation, Eigen Labs, Bar-Ilan University, and UC Santa Barbara, identifies wallet-level cryptography as the primary vulnerability and estimates 6.9 million BTC sit in wallets where public keys are already visible on-chain. The board recommends migration begin immediately rather than wait for the threat to become urgent. NIST recommends migration by 2035; the report suggests that timeline may prove optimistic. Post-quantum signatures are tens to hundreds of times larger than current ones, which could increase block data costs by up to 38x. This is the first time a major US exchange has assigned a specific BTC-at-risk number and published a coordinated industry position.

Key takeaways

  1. Coinbase's Independent Advisory Board on Quantum Computing and Blockchain published its first position paper on April 21, 2026. The board includes Scott Aaronson (Director of the Quantum Information Center at UT Austin), Dan Boneh (Stanford, Co-Director of the Stanford Center for Blockchain Research), Justin Drake (Ethereum Foundation), Sreeram Kannan (founder of EigenLayer), Yehuda Lindell (Coinbase Head of Cryptography), and Dahlia Malkhi (UCSB). The 50-page paper concludes that fault-tolerant quantum computers capable of breaking widely used encryption are increasingly plausible and preparation must begin now
  2. The paper identifies 6.9 million BTC sitting in wallets where public key information is already publicly visible on-chain. These are the directly vulnerable category: any wallet that has spent from its address has revealed its public key, making the underlying private key derivable by a sufficiently powerful quantum computer running Shor's algorithm. That figure is roughly 33% of all BTC ever mined and includes wallets from the network's earliest era including Satoshi-attributed addresses
  3. Bitcoin's core infrastructure (mining and SHA-256 hash functions) faces no meaningful quantum threat. Proof-of-stake networks like Ethereum and Solana carry additional exposure through validator signature schemes (BLS signatures for Ethereum validators, Ed25519 for Solana). The paper makes a sharper distinction than most prior coverage: Bitcoin's exposure is wallet-level (specific addresses with revealed pubkeys); proof-of-stake exposure extends to consensus-layer signatures used by every validator on every block
  4. NIST has standardized several quantum-resistant cryptographic schemes and recommends migration by 2035. The Coinbase paper suggests that timeline may be optimistic given the engineering complexity. Post-quantum digital signatures are tens to hundreds of times larger than current ECDSA signatures, which could increase blockchain data costs by up to 38x and reduce throughput. Migration cannot be a single coordinated event because no entity controls upgrades across all wallets, exchanges, and infrastructure
  5. Adam Back (Blockstream CEO) told Bloomberg this week: 'The prudent thing to do is to prepare Bitcoin and give people the option to migrate their keys to a quantum-ready format. The longer time that Bitcoin users have in order to migrate their keys for custodians and exchanges to move their coins to a quantum-ready format, the safer it will be.' This aligns with the Coinbase board's framing: the migration window is the asset, and it should not be wasted

What Happened

On Tuesday, April 21, 2026, Coinbase's Independent Advisory Board on Quantum Computing and Blockchain published its first position paper, a 50-page document establishing a baseline assessment of quantum risk to digital assets and a roadmap for industry response. The board was assembled in January 2026. Its members include Scott Aaronson, Director of the Quantum Information Center at the University of Texas at Austin and one of the field's most cited researchers. Dan Boneh, the Stanford cryptography professor who co-directs the Stanford Center for Blockchain Research. Justin Drake, the Ethereum Foundation researcher leading post-quantum work on Ethereum's roadmap. Sreeram Kannan, the founder of EigenLayer. Yehuda Lindell, Coinbase's own Head of Cryptography and a globally cited authority on secure multiparty computation. Dahlia Malkhi, head of the UCSB Foundations of Fintech Research Lab.

The paper's core conclusion is direct: digital assets are safe today, but a fault-tolerant quantum computer capable of breaking blockchain cryptography will eventually be built. Coinbase Chief Security Officer Phillip Martin: 'Your crypto is safe today. But a quantum computer capable of threatening blockchain cryptography will eventually be built, and the industry needs to start preparing now, not when it's urgent.' The board members' specific recommendation: begin migration planning immediately, communicate timelines publicly, and avoid the failure mode of waiting until the threat is no longer theoretical.

Why 6.9 Million BTC Is the Number That Matters

The paper's most concrete claim is the 6.9 million BTC figure. That number represents Bitcoin sitting in addresses where the public key is already exposed on-chain. Any address that has ever spent funds has broadcast its public key as part of the spend transaction. Once exposed, that public key becomes the input to Shor's algorithm. A sufficiently powerful quantum computer can derive the corresponding private key in polynomial time, where a classical computer would need centuries. The 6.9 million figure is roughly 33% of all 19.8 million BTC currently in circulation. It includes coins from Bitcoin's earliest era using pay-to-public-key (P2PK) format, before pay-to-public-key-hash (P2PKH) became standard. Satoshi-attributed addresses, estimated at roughly 1.1 million BTC, fall in this category.

The remaining BTC, sitting in addresses that have never been spent from, is structurally safer in the short term because the public key is hashed and not yet revealed. The hash provides quantum resistance until the moment of first spend. This creates an awkward incentive structure: the safest BTC is the BTC that has never moved, which is also the BTC most likely to belong to inactive wallets, lost keys, or holders who have stopped engaging with the network. Active users, by definition, expose their keys every time they transact. The 6.9 million figure is a snapshot. Without intervention, the exposed pool grows every time anyone spends from a non-quantum-safe address.

The Migration Problem Is Not Mostly Cryptographic

NIST has already standardized several quantum-resistant cryptographic schemes including ML-DSA (formerly Dilithium), SLH-DSA (formerly SPHINCS+), and Falcon. The cryptographic primitives exist and have been peer-reviewed for years. The hard problem is deployment. Post-quantum digital signatures are tens to hundreds of times larger than the ECDSA signatures Bitcoin uses today. The Coinbase paper estimates block data sizes could grow by up to 38x if a naive migration were performed. That would directly impact transaction fees, node storage requirements, and network throughput. It would also affect every piece of infrastructure built around Bitcoin's current signature size: hardware wallets, mining pools, payment processors, custody systems.

There is no central authority to coordinate the migration. Bitcoin's upgrade path requires social consensus among miners, node operators, exchanges, custodians, and individual users. Every wallet holder must take action to migrate their funds from a quantum-vulnerable address to a quantum-safe one. Custodial venues including Coinbase, BlackRock IBIT (which holds 802,823 BTC at Coinbase Custody), and Strategy (815,061 BTC across institutional custodians) face the migration question first because they hold concentrated supply at known addresses. Self-custody holders face it individually, on their own timeline, with their own tooling. The board's recommendation that the industry communicate timelines publicly is partly an acknowledgment that no single entity can solve this on behalf of others.

Why a Bad Migration Is a Centralization Argument

The Coinbase paper does not say this directly, but the structural implication is unavoidable: how this migration is handled determines whether Bitcoin remains sovereign money or becomes a custodial asset by default. A custodian holding millions of coins at known addresses can coordinate a migration in a single internal upgrade cycle. Coinbase can move all customer balances to quantum-safe addresses on a defined schedule, with internal engineering resources and no need for individual customer action. BlackRock can do the same for IBIT. Strategy can do it for the corporate treasury. Every institutional holder will move first because they have the engineering bandwidth, the legal mandate, and the concentrated control to do it.

Self-custody holders move on individual timelines, with individual tooling, and individual responsibility for getting it right. The user who runs Sparrow on a laptop and signs with a hardware wallet will need a firmware update that supports quantum-safe signatures, a wallet update that knows how to construct the new transaction format, and the discipline to actually execute the migration before any deadline. Some users will. Many will not. The ones who do not will eventually face one of three outcomes: their coins get frozen by a protocol change like BIP-361, their coins get drained by whoever cracks ECDSA first, or they get herded into custodial rescue programs offered by exchanges and custody providers as the only practical migration path. Each of those outcomes makes Bitcoin more centralized than it is today.

This is the structural risk the Coinbase paper points at without naming. It is not 'quantum will break Bitcoin.' Bitcoin is not going to break. The risk is that quantum migration becomes the largest coordination event in Bitcoin's history, and the entities best equipped to coordinate it are exactly the entities whose growing custody share is already the network's primary centralization pressure. Who gets to move first when the rules change determines who controls the network on the other side of the change.

What This Means for You

If you self-custody Bitcoin and have ever spent from any of your addresses, those addresses are in the 6.9 million BTC vulnerable pool. The practical mitigation today is straightforward: use addresses only once, and when you do spend, send the change to a fresh address. This is the default behavior of every well-designed Bitcoin wallet (Sparrow, Specter, the major hardware wallets) and is the reason address reuse has been considered bad practice since 2013. If your wallet hygiene has been sloppy, the cost of fixing it now is one consolidating transaction to a fresh address. The cost of fixing it after a fault-tolerant quantum computer exists is your entire balance.

The deeper mitigation is preserving your ability to migrate without depending on a custodian. That means running a wallet stack you understand, with hardware that can receive firmware updates, with seed-phrase backups you control, and with the technical literacy to execute a quantum-safe migration when the tooling becomes available. The sovereignty thesis only holds if individual holders can keep control through a cryptographic transition without being forced into custodial rescue programs or emergency policy fixes. The work of keeping that option open starts now, not when the migration becomes urgent.

If you hold Bitcoin through Coinbase, BlackRock IBIT, Strategy MSTR, or any custodian, your exposure is whatever your custodian's migration plan turns out to be. Coinbase has now published a plan in outline. The other major custodians have not. For ETF holders specifically, the migration question has no clean answer: the ETF prospectus does not bind the custodian to any specific quantum-readiness timeline, and the ETF holder has no governance mechanism to force one. This connects directly to the BIP-361 proposal we covered last week, which would freeze legacy-format coins after a phased migration period. The Coinbase paper does not endorse BIP-361 specifically. It does endorse the underlying premise: voluntary migration with a defined deadline is more achievable than emergency migration after a quantum breakthrough.

What to Watch

Watch whether other major custodians (BlackRock, Fidelity, Strategy) publish their own quantum migration roadmaps in response. Watch the Bitcoin Core developer mailing list for movement on BIP-360 (Pay to Quantum Resistant Hash) and BIP-361 (the freeze proposal). Watch whether Ethereum's post-quantum roadmap moves from research to implementation timeline given the proof-of-stake exposure the Coinbase paper specifically called out. Watch hardware wallet manufacturers (Ledger, Trezor, Coldcard, BitBox, Blockstream Jade) for announcements on quantum-safe firmware. The migration is now a coordination problem with named participants and a public deadline window. Every major actor's response from this point forward becomes part of the historical record.

Bitcoin doesn't break under quantum. The question is who gets to move first when the rules change.

Sources

  1. [1]Coinbase Independent Advisory Board on Quantum Computing and Blockchain — Position Paper, published April 21, 2026
  2. [2]CoinDesk — 'Coinbase Advisory Board Says Quantum Computing Threat Is on the Horizon, Crypto Needs a Plan', April 21, 2026
  3. [3]Decrypt / Yahoo Tech — 'Coinbase Flags Proof-of-Stake Chains Like Ethereum, Solana as Potential Quantum Risks', April 21, 2026
  4. [4]BeInCrypto / Yahoo Tech — 'Coinbase Publishes First Paper on Quantum Computing Position for Crypto', April 21, 2026
  5. [5]Coinbase corporate blog — 'Coinbase Establishes Independent Advisory Board on Quantum Computing and Blockchain', January 2026 (board membership reference)
  6. [6]Bloomberg — Adam Back interview on Bitcoin quantum migration, April 2026
  7. [7]Fortune — 'Coinbase Launches Expert Board to Assess Quantum Computing Threat to Crypto', Jeff Lunglhofer interview, January 21, 2026
Quantum series · Part 6 of 9
← Previous part
BIP-361 Would Freeze Bitcoin That Doesn't Migrate to Quantum-Safe Addresses
Next part →
Postquant Labs Shipped Quantum Protection Without a Bitcoin Soft Fork

More in Quantum

Trump Executive Order Moves Federal PQC Deadline to 2031Project Eleven's 15-Bit Quantum Bounty, Reproduced in 20 Python LinesPostquant Labs Shipped Quantum Protection Without a Bitcoin Soft Fork