Recent data from Glassnode has raised concerns regarding the quantum risk associated with Bitcoin holdings, revealing that an astonishing 4.12 million BTC are potentially vulnerable due to behavioral factors. These factors include address reuse, partial spending, and various custody practices—significantly outpacing the 1.92 million BTC at risk from Bitcoin’s older script architecture. Collectively, these categories account for approximately 30.2% of all issued Bitcoin, underscoring a more pressing issue: the majority of today’s quantum-related risks stem not from legacy code, but from how holders manage their private keys.
Glassnode categorizes the quantum-exposed Bitcoin supply into two distinct groups: structural exposure and operational exposure. This differentiation is crucial; conflating the two often leads to misleading narratives about where the actual risks lie.
Structural exposure entails outputs where a public key is deliberately embedded on-chain by the protocol itself, rather than through user actions. The primary contributors to this risk include Pay-to-Public-Key (P2PK) outputs, which were used in Bitcoin’s early blocks and contain the public key with no protective hash layer. Additional exposures stem from bare multisig outputs and, more currently, Pay-to-Taproot (P2TR) outputs, which also expose public keys by design. According to Glassnode, structural exposure accounts for about 1.92 million BTC.
In contrast, operational exposure addresses a different type of vulnerability. Outputs like Pay-to-Public-Key-Hash (P2PKH) and Pay-to-Witness-Public-Key-Hash (P2WPKH) do not expose public keys by default. Instead, they conceal them using cryptographic hash functions—specifically, SHA-256 and RIPEMD-160—which are deemed quantum-resistant based on existing models.
However, the situation changes dramatically when holders spend from these addresses. Once a transaction is broadcast, the public key included in the signature becomes permanently recorded on the blockchain. This creates a vulnerability, especially if the address is reused for receiving further funds, exposing these subsequent balances in the same manner as the earlier, less secure outputs. Essentially, while the hash layer initially offers protection, it becomes ineffective once a transaction is made, leaving any remaining funds open to quantum risks.
The findings indicate a clear necessity for Bitcoin holders to adopt stricter key management practices to mitigate potential vulnerabilities associated with quantum computing technologies. The data serves as a reminder of the evolving landscape of cryptocurrency security and the importance of maintaining awareness of both structural and operational risks.
