Coinbase's quantum advisory board reported Thursday that roughly 7 million bitcoin sit in addresses exposed to a future quantum attack, with much of that exposure coming from active funds rather than lost Satoshi-era coins, including cold wallets operated by known exchanges. The exposure stems from two vulnerabilities: legacy pay-to-public-key addresses where public keys are fully visible onchain, and address reuse that has already revealed public keys. The report frames the challenge as a governance question about what to do with holders who still control their funds but may fail to migrate before any deadline, as quantum computing advances continue to accelerate research timelines.
Coinbase Report Identifies Two Buckets of Bitcoin Exposure
The advisory board divided the exposure into two categories in a report published Thursday by the company's Independent Advisory Board on Quantum Computing and Blockchain. About 1.7 million bitcoin sit across roughly 20,000 legacy pay-to-public-key (P2PK) addresses, where the public key itself is the address and is fully visible onchain, leaving those coins directly vulnerable to a future attack. Many are assumed to belong to bitcoin's pseudonymous creator or to owners who lost their keys long ago.
The second and larger bucket is tied to address reuse. Citing quantum-security firm Project Eleven, the report puts about 5 million bitcoin at risk because their public keys have already been revealed. The report says most of those coins are assumed to belong to active users rather than lost wallets, with large amounts sitting in cold wallets of known exchanges or showing recent activity. The report does not name specific crypto exchanges.
The report presents the argument that owners who have lost their keys do not need protection because they have already lost practical control of their coins, so the genuine question is what to do about holders who still control their funds but fail to move them before any migration deadline. By the report's own framing, that group could include the exchanges and active holders behind the 5 million reused-key coins.
Advisory Board Presents Two Opposing Migration Approaches
The report sets out two opposing positions on solutions. The first would set a deadline after which quantum-vulnerable signatures, such as ECDSA and Schnorr, are no longer accepted, permanently freezing any coins not migrated. Proponents argue that broken cryptography voids the proof of ownership those signatures provide, that lost coins flooding the market after a quantum break would unfairly hit other holders, and that freezing would stop a sanctioned actor such as North Korea from seizing a large bitcoin stash.
The second position would enable post-quantum addresses and otherwise leave the risk with each owner. Backers argue that burning coins amounts to confiscation at the network level, breaking with bitcoin's property-rights ethos and setting a precedent that could invite future pressure to seize funds for other reasons, and that there is no reliable way to tell a negligent owner from one who is imprisoned, has died, or has only temporarily lost a key.
Intermediate Proposals Offer Compatibility Between Positions
Between the two, the report describes intermediate proposals it says are mutually compatible. An "Hourglass" design would cap how many P2PK coins can move per block to prevent a sudden supply shock. The draft BIP-361 proposal would bar legacy signatures after a set time but let users prove ownership with a quantum-resistant zero-knowledge proof, an option available to wallets generated from seed phrases. Provable Address-Control Timestamps, or PACTs, originally proposed by Paradigm researcher Dan Robinson, would let holders commit today to a future quantum-safe transfer without publicly moving funds onchain.
Board Composition and Migration Recommendations
The board declined to back any single approach, saying there is no correct answer and that the community must decide. Its members include Yehuda Lindell, who leads cryptography at Coinbase and is a professor at Bar-Ilan University, alongside Stanford professor Dan Boneh, UT Austin professor Scott Aaronson, Ethereum Foundation researcher Justin Drake, Sreeram Kannan of Eigen Labs and the University of Washington, and UCSB professor Dahlia Malkhi.
The report made two recommendations. It urged developers to start the technical migration work now, arguing that building post-quantum signature support is independent of the abandoned-coins fight and should not wait for it, and it called for clearer communication so users are not left guessing about timelines and plans.
The exchange-exposure point echoes earlier warnings. When Jefferies strategist Christopher Wood pulled bitcoin from his model portfolio in January over quantum risk, the research he cited flagged exchange and institutional wallets as among the most exposed because of address reuse. Bitcoin developers have separately floated the phased sunset of legacy signatures under BIP-361, and Google said in March it was setting a 2029 timeline for its own post-quantum cryptography migration, citing faster progress in quantum-related research.
The board stressed that no quantum computer can break blockchain cryptography today and that the threat remains uncertain. Its argument is that migration and the governance debate will each take years to resolve, so waiting until a cryptographically relevant quantum computer actually exists would be too late.
FAQ
What did Coinbase's quantum advisory board report on Thursday?
Coinbase's quantum advisory board reported Thursday that roughly 7 million bitcoin sit in addresses exposed to a future quantum attack, with about 1.7 million in legacy pay-to-public-key addresses and 5 million from address reuse, including cold wallets operated by known exchanges.
What are the two opposing positions on quantum migration solutions?
The first position would set a deadline after which quantum-vulnerable signatures are no longer accepted, permanently freezing unmigrated coins. The second position would enable post-quantum addresses and leave the risk with each owner, arguing that burning coins amounts to confiscation at the network level.
