Coinbase’s independent quantum advisory board just dropped a 40-page report that should worry every Bitcoin holder: ~7 million BTC — roughly 37% of the total supply — sits in addresses vulnerable to future quantum attacks. The kicker? ~5 million of those coins belong to active users, including cold wallets of known exchanges. This isn’t lost Satoshi stash. It’s live capital.
The board, stacked with cryptography heavyweights (Yehuda Lindell, Dan Boneh, Scott Aaronson, Justin Drake, Sreeram Kannan, Dahlia Malkhi), published the findings June 12, 2026. Their conclusion: no consensus on governance. Two irreconcilable camps. Zero endorsement of either.
The Exposure Breakdown
| Category | BTC at Risk | What It Means |
|---|---|---|
| Legacy P2PK addresses | ~1.7M BTC | ~20,000 addresses where public key = address. Many assumed lost/Satoshi-era. |
| Address reuse | ~5M BTC | Public keys revealed via reuse. Most belong to active users, including large cold wallets of known exchanges (unnamed) or showing recent activity. |
“The second and larger bucket is the one tied to address reuse… about 5 million bitcoin at risk because their public keys have already been revealed, and says most of those coins are assumed to belong to active users rather than lost wallets, with large amounts sitting in cold wallets of known exchanges or showing recent activity.” — Coinbase Quantum Advisory Board Report
The Governance Split
Camp 1: Freeze/Burn Vulnerable Coins After Deadline
Mechanism: Stop accepting ECDSA/Schnorr signatures after a migration deadline.
Arguments:
– Broken cryptography voids proof of ownership
– Prevents sudden supply shock from quantum-broken coins flooding market
– Stops sanctioned actors (e.g., North Korea) from seizing large stashes
Camp 2: Enable Post-Quantum Addresses; Leave Risk to Owners
Mechanism: Add quantum-resistant options, no forced migration.
Arguments:
– Burning coins = network-level confiscation, violates property-rights ethos
– Sets dangerous precedent for future seizures
– Cannot distinguish negligent owner from imprisoned/deceased/temporarily locked out
The board declined to back either approach, saying there is no correct answer and the community must decide.
Intermediate Proposals (Mutually Compatible)
| Proposal | Description | Key Feature |
|---|---|---|
| Hourglass | Cap P2PK coins movable per block | Prevents sudden supply shock |
| BIP-361 | Bar legacy signatures after set time; allow ZK-proof ownership | Works for seed-phrase wallets |
| PACTs (Provable Address-Control Timestamps) | Commit today to future quantum-safe transfer without onchain move | Originally by Paradigm’s Dan Robinson |
Threat Timeline Reality Check
No quantum computer can break blockchain cryptography today. The threat remains uncertain but migration + governance debate each take years. Waiting for a cryptographically relevant quantum computer = too late.
Related context:
– Jefferies’ Christopher Wood dropped BTC allocation (Jan 2026) citing exchange/institutional wallet exposure from address reuse
– Google set a 2029 timeline for post-quantum cryptography migration (Mar 2026)
– BIP-361 draft proposes phased sunset of legacy signatures
The Bottom Line: Move Your Coins Now
The 5M BTC in reused addresses — not lost Satoshi coins — represents the real governance crisis: active holders (including major exchanges) who control funds but may miss migration deadlines. The board frames this as a community decision, not a technical one. Until Bitcoiners agree on whether property rights or cryptographic purity wins, 7M BTC sits in limbo.
Your action today: If you hold BTC in a reused address (check: have you ever sent from the same address twice?), your coins are in the 5M bucket. Move to a fresh Taproot (bc1p) address now. The migration tooling exists; the governance doesn’t.
Quick Answers
Is my Bitcoin at risk today?
No. No quantum computer exists that can break ECDSA/secp256k1. The risk is future — 10-20 year horizon — but migration takes years.
How do I know if my address reused?
Any address you’ve sent from more than once has revealed its public key. Use a block explorer (mempool.space, blockstream.info) — paste your address, check transaction count.
What’s a “fresh Taproot address” and how do I get one?
Taproot (BIP-341) addresses start with bc1p. Most modern wallets (Sparrow, BlueWallet, Electrum, Ledger Live, Trezor Suite) generate them by default. Create a new receive address — if it starts with bc1p, you’re good.
Which exchanges are affected?
The report names none explicitly but confirms “large cold wallets of known exchanges” show reuse patterns. If you custody on an exchange, you’re trusting their migration timeline. Audit your withdrawal address before your next deposit.
What happens if Bitcoin forks over this?
Possible. Camp 1 (burn vulnerable coins) and Camp 2 (opt-in only) are mutually exclusive at protocol level. A contentious soft fork could split the chain — the board’s refusal to endorse either makes this more likely, not less.
Sources: Coinbase Quantum Advisory Board Report (June 12, 2026); The Block coverage; Google post-quantum roadmap (Mar 2026); BIP-361 draft.
Related: Bitcoin Taproot Guide: Why bc1p Addresses Matter • How to Audit Your Wallet for Address Reuse • Post-Quantum Crypto: What Google’s 2029 Deadline Means
