Section II: Blockchain Vulnerability Assessment
The coordination challenges described above are compounded by a feature unique to blockchains: permanent public records. Every signature ever published on-chain becomes a potential attack surface once quantum computers mature. Traditional financial systems can rotate their encryption keys behind closed doors, but blockchain addresses with exposed public keys remain vulnerable forever unless protocol-level changes intervene. This section examines which blockchain assets face the greatest quantum risk, why some addresses are more vulnerable than others, and what users can do to protect themselves while developers work on network-wide solutions.
Technical Foundation
Most blockchain networks secure transactions using digital signatures (the cryptographic foundation explained in Chapter I for Bitcoin and Chapter V for custody practices) that rely on mathematical problems classical computers cannot solve efficiently. The quantum threat to these systems comes in two forms, and it helps to think of them through analogy.
Shor's algorithm is like a master locksmith who can reverse-engineer any lock's blueprint from its face (the public key) and cut a matching key directly. This is catastrophic for the signature schemes that Bitcoin, Ethereum, and Solana use today. Once quantum computers are powerful enough to run Shor's algorithm at scale, they can derive private keys from public keys, breaking the fundamental security assumption of blockchain wallets.
Grover's algorithm resembles a superhuman librarian who must still search through library stacks, but can do so far more efficiently, effectively halving the security strength of hash functions. This is less devastating because the defense is straightforward: use longer hashes. One algorithm breaks mathematical structure entirely; the other just accelerates brute-force search.
Public Key Exposure Models
Think of it like this: a Bitcoin address is like a safe whose combination (the public key) isn't revealed until someone opens it. Once the safe is opened, anyone listening can record the combination. Today's eavesdroppers can't use that combination to break into safes, but when quantum "lockpicks" arrive, they can replay those recorded combinations to steal whatever remains inside.
This analogy captures a fundamental principle: quantum computers can break public keys, but they cannot easily break the cryptographic hashes of those keys. This distinction determines which funds are at risk.
Why Legacy Bitcoin Addresses Are More Vulnerable
Legacy Bitcoin addresses face significantly higher quantum risk for two concrete reasons. First is direct public key exposure through P2PK outputs. Early Bitcoin (2009-2012) frequently used P2PK (Pay-to-Public-Key) outputs that publish the public key directly on the blockchain with no cryptographic protection.
The transaction literally says "here's the public key, anyone who can prove they control it can spend this." Over 1.5 million BTC (roughly 8.7% of Bitcoin's total supply, yet only 0.025% of UTXOs) remain locked in these completely exposed P2PK outputs, including Satoshi's early mining rewards. This is like having a safe with the combination written on the outside. Quantum computers won't need to break any locks; they can simply read the combination and walk in.
The second vulnerability comes from address reuse patterns. Early Bitcoin users commonly reused the same address for multiple transactions, a practice that was later discouraged. Each time someone spends from an address, they expose its public key on the blockchain. With address reuse, the first spend reveals the public key, and any remaining balance tied to that key becomes fair game for a future quantum attacker. Many legacy users accumulated large balances on a single address over time, then only spent portions, leaving substantial "change" outputs sitting behind already-exposed public keys. In the public-key-exposure model, those change outputs are effectively pre-targeted for quantum harvest.
Current Standards
Newer Bitcoin addresses use formats like P2PKH (Pay-to-Public-Key-Hash) and native SegWit (both covered in Chapter I) that only store a hash of the public key on the blockchain. The actual public key stays hidden until you spend your Bitcoin. When combined with the modern practice of using each address only once, this provides much stronger protection against quantum computers.
Unspent funds in these modern address formats are much more quantum-resilient because the public keys remain hidden. A quantum attacker would first need to crack the hash layer itself, which is much harder than attacking exposed public keys directly.
Using each address only once also reduces long-term risk. The public key is only revealed when you spend the funds. As long as the transaction confirms before attackers can derive your private key (which takes time even with quantum computers), you're effectively safe in practice. And since you've spent all the funds, there's no remaining balance left on that now-exposed key for future attacks.
However, Taproot addresses (introduced in Chapter I) present a different exposure pattern. When using the default key-path spend, Taproot embeds a public key directly in the output, placing it in the exposed-key category similar to the vulnerable legacy formats. While Taproot currently holds a relatively small share of Bitcoin's total supply, users should be aware that these addresses don't provide the same quantum protection as hash-based alternatives.
Ethereum's account model (Chapter II) creates different exposure patterns. Every transaction from an EOA exposes a recoverable public key, but accounts that have never sent transactions remain protected. However, once an Ethereum address sends its first transaction, the public key is permanently exposed for any future deposits to that same address.
While managing individual addresses has obvious challenges, smart contract wallets mainly provide architectural flexibility rather than an immediate solution to quantum threats. The authentication logic in these wallets lives in upgradeable code instead of being permanently tied to a single signature key, so in principle they could switch to quantum-resistant signature schemes without changing the wallet address. However, this only becomes practical once Ethereum adds efficient built-in support for verifying these new signature types. Today, verifying post-quantum signatures directly on the EVM is technically possible but far too expensive in gas, so this upgrade path remains mostly theoretical rather than something users can deploy at scale. In practice, whether any given smart contract wallet benefits from this flexibility depends entirely on its specific implementation and available upgrade mechanisms.
Multi-signature wallets (covered in Chapter V) present complex migration challenges, typically requiring all signers to coordinate simultaneous upgrades to post-quantum schemes. Social recovery mechanisms might provide alternative migration paths, though these require careful design to maintain security assumptions.
Dormant and Potentially Lost Wallets
Dormant addresses with exposed public keys represent significant systemic risk to the broader ecosystem. These include early adopter addresses where the owners may have lost their private keys but already exposed their public keys through past spending activity. They also include abandoned mining addresses from Bitcoin's early era, particularly those used for early block rewards that were subsequently spent, exposing their public keys to future quantum harvest.
The fundamental challenge lies in distinguishing between genuinely lost funds and dormant but recoverable wallets. Quantum attackers could potentially recover funds from addresses presumed permanently lost: imagine the market chaos if millions of "lost" Bitcoin suddenly became recoverable, creating unexpected supply shocks and complex ownership disputes that could destabilize the entire ecosystem.
This creates a high-stakes scenario often described as a "quantum rush." Should a powerful quantum computer emerge suddenly, it would trigger a frantic race. Malicious actors would rush to crack susceptible addresses and steal exposed funds, while network developers and the community would race to deploy emergency forks to freeze or migrate those same assets. The outcome of such an event would depend heavily on who acts first, introducing a stark game-theoretic dynamic into the security model.
At current valuations, those at-risk BTC represent over $100 billion in exposed value, effectively creating a massive bounty for whoever achieves quantum supremacy first. This transforms quantum computing development from purely scientific pursuit into strategic competition. Nation-states and well-funded private entities now have a concrete financial incentive, beyond military or intelligence applications, to accelerate their quantum programs: whoever breaks the threshold first gains the ability to seize billions in abandoned or lost Bitcoin before the network can coordinate defensive forks. The race extends beyond who builds the computer to who can extract maximum value before the window closes.
Best Practices
To protect against future quantum computing threats, users should adopt careful key management practices. For Ethereum, avoid keeping large amounts of funds in an address after its first transaction, since any on-chain signature reveals the public key to potential quantum attacks. Instead, migrate to a fresh, unused address or preferably a smart contract wallet that can be upgraded to post-quantum cryptographic schemes.
Bitcoin users should similarly avoid address reuse by spending entire UTXOs to fresh addresses, ensuring no value remains tied to previously exposed public keys. While multisig and multi-party computation solutions offer enhanced security today, they don't eliminate quantum risk if the underlying signature scheme remains vulnerable. Their primary value lies in providing an upgrade path to post-quantum algorithms when they become available.
The Protocol-Level Challenge
While individual users can adopt protective practices, the exposure patterns detailed above reveal a fundamental limitation: personal key management cannot protect the ecosystem as a whole. The massive amount of Bitcoin sitting in exposed legacy outputs, the countless reused addresses from Bitcoin's early days, and Ethereum's account model exposure all require coordinated protocol-level responses.
No amount of individual vigilance can secure funds whose public keys are already permanently visible on-chain, nor can it prevent the systemic chaos of a potential quantum rush. This reality has driven blockchain developers to move beyond user education toward concrete technical proposals for network-wide quantum resistance. The question is no longer whether blockchains need protocol changes, but rather how to implement them without breaking existing functionality or creating unacceptable economic disruption.