Tokenization

Quantum Risk Threatens 10% of Bitcoin Supply, Accelerating BIP-360 Adoption

Glassnode has put a precise supply figure on quantum vulnerability in Bitcoin, and the path to fixing it runs through a consensus process that has no deadline.

Glassnode called 1.92 million BTC "structurally unsafe" on May 20, 2026 [1]. That is not a probability estimate. That is a coin count. Roughly 10% of Bitcoin's entire circulating supply sits in reused or legacy address formats where the public key is visible on-chain [1]. A sufficiently powerful quantum computer could use that visible public key to reverse-engineer the private key. At Bitcoin's current price near $77,613 [2], the exposed supply represents over $149 billion in assets with a known cryptographic weakness and no confirmed fix on the horizon.

My thesis is simple. Quantum vulnerability in Bitcoin has crossed from theoretical risk to disclosure-level risk. Glassnode's supply-denominated precision [1], corroborated independently by Citi in the same month [3], means institutional holders, tokenized product operators, and treasury managers can no longer treat this as a footnote. The question is not whether quantum computers will eventually threaten Bitcoin. The question is whether Bitcoin's governance can move fast enough to fix it before the window closes.

The Signal: What Glassnode Actually Said

Glassnode's May 20, 2026 report did something that earlier quantum risk discussions had not done [1]. It gave a specific number. Not a range. Not a percentage with wide error bars. Approximately 1.92 million BTC, sitting in address formats that expose the public key by design, regardless of how carefully the owner manages their wallet [1].

The framing matters. Glassnode used the phrase "structurally unsafe" [1]. That language is deliberate. It means the vulnerability is not a user error. It is an architectural feature of older address types. Pay-to-public-key addresses, used heavily in Bitcoin's early years, broadcast the public key directly. Reused pay-to-public-key-hash addresses expose the public key the moment a transaction is signed. Once exposed, the public key stays on-chain permanently. There is no way to un-expose it without moving the coins.

Citi published a separate quantum risk report on Bitcoin in May 2026 [3]. Their numbers differ from Glassnode's. Citi estimated that 25% of Bitcoin supply is quantum-exposed, with 4.5 to 6.7 million BTC at risk [3]. They also put a 34% probability on a cryptographically relevant quantum computer existing by 2034 [3]. Two credible institutional voices, one an on-chain analytics firm, one a global bank, reached similar directional conclusions independently within the same month. That convergence is the signal.

The gap between Glassnode's 1.92 million BTC and Citi's higher range likely comes from methodology. Glassnode appears to have counted only addresses where the public key is already exposed on-chain today [1]. Citi's broader figure may include addresses that would become exposed upon their next outbound transaction [3]. Both numbers are defensible. Both are alarming.

This is the first time a major on-chain analytics firm has quantified quantum exposure at the asset level with supply-denominated precision [1]. That precision changes the conversation. Fund administrators, auditors, and regulators can now point to a specific number. Vague warnings about quantum risk were easy to defer. A named coin count is harder to ignore.

Why the Cryptography Matters: Plain Language Version

Every Bitcoin wallet has two keys. The private key is the secret. The public key is derived from it mathematically. In normal cryptography, knowing the public key tells you nothing useful about the private key. The math only works in one direction. That one-way property is what makes the system secure.

Quantum computers threaten that one-way property. They use a different kind of computation, based on quantum mechanics, that can run certain mathematical operations in reverse far more efficiently than classical computers. The specific algorithm is called Shor's algorithm. It can, in theory, derive a private key from a public key if the public key is known [4].

The critical word is "known." If your public key has never appeared on-chain, a quantum computer cannot target you. But if you have ever sent Bitcoin from an address, or if you use an older address format that broadcasts the public key by design, your public key is permanently recorded on the blockchain. Anyone with a sufficiently powerful quantum computer could use it.

How powerful does the quantum computer need to be? Current estimates suggest breaking Bitcoin's elliptic curve cryptography would require millions of stable qubits [4]. Today's best quantum computers operate in the thousands of noisy qubits. The gap is large. But the direction of travel is clear, and the timeline is uncertain enough that serious institutions are not waiting.

BIP-360 is the proposed solution for Bitcoin [3]. It would introduce new signature types based on post-quantum cryptographic algorithms that Shor's algorithm cannot reverse. Coins would need to be migrated to new address formats. Old addresses would eventually be deprecated or frozen. But BIP-360 is a proposal, not a deployed upgrade. Bitcoin has no central team that can push changes. Activation requires miners and node operators worldwide to signal support and upgrade their software. That process is slow. It is also contested. Bitcoin's governance has historically taken years to resolve even less contentious changes [3].

The Infrastructure Layer Is Already Moving

Bitcoin is not the only chain thinking about this. The pattern across serious infrastructure teams is consistent: treat quantum risk as an active engineering problem, not a future philosophy debate.

Yesterday I covered BNB Chain deliberately accepting a 40 to 50% reduction in transaction throughput to test post-quantum cryptographic defenses. That is a real performance cost, accepted voluntarily, in exchange for cryptographic safety. The BNB Chain team did not wait for a quantum computer to appear. They stress-tested their defenses while the threat was still distant.

Ten days ago I covered Zcash announcing quantum-recoverable wallets, with a full quantum-proof architecture targeted by 2027. Zcash moved 53.7% in seven days on that announcement. The market priced the upgrade as a positive signal, not a sign of weakness.

Bitcoin's situation is structurally different from both. BNB Chain has a development team that can coordinate upgrades. Zcash has a core protocol team with a roadmap. Bitcoin has neither. It has a decentralized network of miners, node operators, and developers who must reach rough consensus before any protocol change activates. That decentralization is Bitcoin's defining feature. It is also the reason BIP-360 has no guaranteed timeline [3].

The Bitcoin developer mailing list has seen BIP-360 discussed alongside a companion proposal, BIP-361 [3]. Both are in early stages. Miner signaling, the mechanism by which miners indicate readiness to activate a soft fork, has not begun in any meaningful way. Node operator adoption, which is the other required component, is similarly nascent. Citi noted explicitly that the consensus process "historically takes years" [3]. That is not pessimism. That is the record.

Meanwhile, the tokenization layer is building on top of Bitcoin-denominated assets. Tokenized Bitcoin products, wrapped BTC structures used in DeFi collateral stacks, and Bitcoin ETFs approved by the SEC in 2024 [5] all inherit the underlying cryptographic exposure. A wrapped BTC token is only as secure as the Bitcoin it represents. If the underlying coins sit in quantum-vulnerable addresses, the token inherits that risk. Regulators who are already tightening custody standards [5] will eventually ask about cryptographic adequacy. The question is when, not whether.

The Counter-Narrative

Skeptics argue that quantum risk to Bitcoin is a perennial concern that never materializes, and that the timeline to a cryptographically relevant quantum computer is so uncertain that institutional action today is premature. They point out that Shor's algorithm requires error-corrected qubits at a scale that no lab has demonstrated, and that the engineering challenges involved are qualitatively different from simply scaling up current hardware. They also note that Bitcoin's community has successfully coordinated major upgrades before, including SegWit and Taproot, suggesting that BIP-360 can follow the same path when the threat becomes concrete enough to generate consensus.

The rebuttal is this: Citi put a 34% probability on a cryptographically relevant quantum computer existing by 2034 [3], and the migration of 1.92 million BTC to safe address formats cannot happen overnight. If the window to act is eight years and the consensus process takes years, the time to start is now, not when the threat is confirmed.

Who Should Care and What They Should Do

If you are a portfolio manager or fund with Bitcoin as collateral: the 1.92 million BTC figure is now a disclosure question [1]. Your auditors will ask about cryptographic adequacy standards. Your LPs may ask before your auditors do. The first step is an address-level audit. Identify whether any Bitcoin held in your custody or pledged as collateral sits in reused or legacy address formats. If it does, document your migration plan. Do this before someone else asks.

If you operate a tokenized Bitcoin product, a wrapped BTC structure, or a Bitcoin ETF: you inherit the underlying cryptographic exposure directly. The SEC has signaled that custody standards for digital assets are a priority [5]. A regulator citing cryptographic adequacy in a fund disclosure requirement would not be a surprise. You need a documented position on quantum risk today, not a reactive statement after the first enforcement action.

If you are a treasury manager holding BTC on a corporate balance sheet: quantum exposure has moved from footnote to line item. Add it to your risk register. Track BIP-360 progress on the Bitcoin developer mailing list as a material development. The Bernstein tokenization supercycle thesis for 2026 [6] assumes infrastructure integrity. Cryptographic vulnerability is an infrastructure integrity question.

What to Watch Next

First, watch for a major custodian, Coinbase Custody or Fidelity Digital Assets being the most likely candidates, to issue formal guidance or a client advisory on migrating coins from quantum-vulnerable address formats. A custodian advisory would shift this from analyst commentary to operational requirement for every institutional holder they serve.

Second, watch the Bitcoin developer mailing list for BIP-360 to move from proposal to formal activation discussion. Any sign of miner signaling or node operator support before the end of 2026 would be a meaningful step. The absence of that signal by year end would itself be informative, suggesting the governance process is not moving at a pace that matches the risk timeline.

Third, watch for a regulatory move. The SEC clarified its application of securities laws to crypto assets in April 2026 [5]. A follow-on guidance citing cryptographic adequacy standards in custody rules or fund disclosure requirements would force the issue from voluntary best practice to mandatory compliance across the institutional stack. European regulators, who have moved faster on digital asset custody frameworks, are also worth watching on this dimension.

The Unanswered Question

If BIP-360 fails to reach consensus on a timeline that outpaces quantum computing progress, there is no clear orderly migration plan for over $149 billion in exposed supply [1][2]. Forced migration at scale would require coordinated action from thousands of independent wallet holders, many of whom are unreachable, deceased, or holding coins in cold storage with no active monitoring. Some portion of the 1.92 million BTC may be permanently lost coins from Bitcoin's early years, which would never be migrated regardless of any protocol upgrade. That reduces the practical exposure somewhat. But it does not reduce the governance problem.

The deeper issue is not cryptography. It is coordination. Bitcoin's decentralized upgrade process is a feature in normal times. It is a liability when a time-sensitive security fix needs coordinated action across thousands of independent operators with no central authority to compel movement [3]. SegWit took years of contentious debate before activation. Taproot required a similarly extended process. BIP-360 is more complex and more urgent than either.

The thread worth pulling is not whether quantum computers will eventually break Bitcoin. They probably will, on a long enough timeline. The thread is whether Bitcoin's governance can move fast enough when the window to act is finite and the cost of missing it is measured in hundreds of billions of dollars.

I have not seen a credible answer to that question yet.

Sources

  1. 1tradingview.com
  2. 2coinmarketcap.com
  3. 3en.spaziocrypto.com
  4. 4crypto.news
  5. 5fintechanddigitalassets.com
  6. 6coindesk.com