Bitcoin quantum exposure
Total BTC currently held at addresses whose pubkey has been revealed
on-chain. This is the supply that a sufficiently powerful quantum
attacker could steal by inverting ECDSA/Schnorr signatures. Updated
weekly from a full UTXO-set walk joined against our
revealed_addresses registry.
On this page
The breakdown
Six buckets, ordered by BTC at risk. Where the BTC lives on the left (each wedge is that script type's share of the at-risk BTC). Where the addresses are on the right (each wedge is that script type's share of the at-risk address count). When the same script type makes a big slice in one wheel but a sliver in the other, concentration is at work.
Same numbers, as horizontal stacked bars:
Raw figures by script type
| Script type | Exposure | Addresses | BTC at risk | % of at-risk | Share |
|---|---|---|---|---|---|
witness_v0_keyhash |
reuse | 3,578,838 | 1,910,301.77 | 27.24% | |
pubkey |
always | 39,478 | 1,716,077.37 | 24.47% | |
scripthash |
reuse | 1,144,572 | 1,297,276.27 | 18.50% | |
pubkeyhash |
reuse | 3,915,180 | 1,191,694.65 | 16.99% | |
witness_v0_scripthash |
reuse | 88,648 | 686,385.40 | 9.79% | |
witness_v1_taproot |
always | 4,933,860 | 211,918.95 | 3.02% |
Balance distribution
At-risk addresses grouped by current balance. BTC share runs leftward from the bucket label; address-count share runs rightward; both at the same 0-100% scale. The crossover row (highlighted) is where the two are balanced: above it addresses dominate, below it BTC dominates.
Of the 13,700,576 at-risk addresses, 277,623 currently hold exactly 1 satoshi, 2,828,213 hold under 1,000 sats, and 12,301,860 hold under 1M sats. Dust dominates by count; whales dominate by value.
Concentration curve
How concentrated the at-risk pool is, plotted as a Lorenz curve. X-axis is the cumulative share of addresses (sorted smallest balance to largest); Y-axis is the cumulative share of at-risk BTC. The dashed diagonal is perfect equality (every address holds the same). The further the curve bows toward the bottom-right corner, the more concentrated the holdings. The Gini coefficient summarises the bow in one number, from 0 (equal) to 1 (one address holds everything).
Redeem-shape breakdown
What shape are the P2SH/P2WSH redeem scripts behind the at-risk supply? Only pubkey-bearing shapes are quantum-exposed; the rest (timelock-only, hash-preimage, OP_RETURN-shaped) are what separate our strict count from the conservative one. Current held balance by shape:
| Script type | Redeem shape | Addresses | BTC held | Pubkey? |
|---|---|---|---|---|
p2sh_p2wpkh |
nested P2WPKH | 757,532 | 897,250.70 | exposed |
witness_v0_scripthash |
multisig | 86,798 | 684,284.25 | exposed |
scripthash |
multisig | 278,138 | 244,259.83 | exposed |
p2sh_p2wsh |
multisig | 110,288 | 155,574.13 | exposed |
scripthash |
single-key CHECKSIG | 1,104 | 2,491.35 | exposed |
witness_v0_scripthash |
pubkey + timelock | 577 | 2,087.78 | exposed |
p2sh_p2wsh |
pubkey + timelock | 1,402 | 375.74 | exposed |
scripthash |
hash-preimage only | 563 | 54.29 | safe |
witness_v0_scripthash |
pubkey + hashlock | 1,196 | 12.28 | exposed |
witness_v0_scripthash |
timelock only | 646 | 1.34 | safe |
witness_v0_scripthash |
hash-preimage only | 236 | 1.28 | safe |
witness_v0_scripthash |
single-key CHECKSIG | 77 | 1.09 | exposed |
p2sh_p2wsh |
hash-preimage only | 1,685 | 0.34 | safe |
scripthash |
pubkey + hashlock | 18 | 0.07 | exposed |
scripthash |
pubkey + timelock | 248 | 0.04 | exposed |
M-of-N multisig by aggregate balance (top 6):
Full breakdown, every output type, and the complete M-of-N distribution: UTXO repartition dashboard →
Aged exposure
Of the currently at-risk supply, how long has each address been exposed? Age = base block height minus first-reveal block height (the moment the address's pubkey first hit the chain). The 5+ year bucket is dominated by Satoshi-era P2PK and ancient address-reuse stragglers: coins that have been forensically reachable for the entire modern history of the network.
| Age bucket | Always-exposed (BTC) | Reuse-exposed (BTC) | Total BTC | % of at-risk | Share |
|---|---|---|---|---|---|
| 5+ years | 1,716,076.55 | 1,512,625.75 | 3,228,702.30 | 46.03% | |
| 1–5 years | 80,183.35 | 2,232,981.56 | 2,313,164.91 | 32.98% | |
| 30 days – 1 year | 115,379.17 | 1,272,432.47 | 1,387,811.63 | 19.79% | |
| < 30 days | 16,357.25 | 67,618.31 | 83,975.57 | 1.20% |
Weekly change since 2026-06-21
Week-over-week change, updated every Sunday.
Quantum exposure over time
Stacked weekly snapshots. Always-exposed is the floor (largely Satoshi-era P2PK that hasn't moved + the growing taproot supply); reuse-exposed sits on top and tracks address reuse across active addresses. The full series accumulates as Sunday walks complete.
What's actually at risk
A quantum computer with enough qubit-stability to run Shor's algorithm against secp256k1 could derive a private key from any publicly-visible pubkey. Bitcoin's hash-based address types (P2PKH, P2WPKH, P2SH, P2WSH) protect the pubkey behind a SHA256 + RIPEMD160 hash until you spend. Once you do, the pubkey is permanently in the witness data for anyone to harvest, and every subsequent UTXO at the same address is just as exposed as the moment of first spend.
P2PK and bare-multisig outputs (mostly pre-2013 coinbase and ancient fund-flows) carry the pubkey directly in the output script; they were always exposed. P2TR (taproot) outputs use the x-only pubkey as the address by design, also always exposed. Address reuse on hashed types is the largest single contributor; the Satoshi-era P2PK supply is the most symbolically significant.
Why our number is honest
Three measurements triangulate Bitcoin's quantum-exposed supply.
BIP-361
(Lopp et al.) reports over 34% as of March 2026 from
an analytic count.
Wicked Smart Bitcoin
independently confirms this empirically at 34.55%
(block 951,000, conservative on-chain parsing). We land at
35.0%,
a touch above Wicked because we measure at a more recent block height.
On P2SH and P2WSH spends we apply STRICT redeem-script
parsing: an address gets marked exposed only when the
actually-revealed redeem script contains a pubkey push followed by
OP_CHECKSIG/OP_CHECKSIGVERIFY, or contains
OP_CHECKMULTISIG/OP_CHECKMULTISIGVERIFY.
Timelock-only redeem scripts
(OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE), hash-preimage
scripts, and OP_RETURN-shaped wrappers don't leak pubkeys on spend
and are correctly excluded.
On P2SH and P2WSH the two on-chain measurements bound the truth: Wicked's conservative figure counts every revealed redeem script as exposed, while our strict figure counts only those that actually carry a pubkey. Two corrections brought our overall number into line with his. Methodology v1.1 added roughly 1.04M BTC of nested-segwit reuse (P2SH-wrapped P2WPKH and P2WSH), whose pubkey is revealed in the witness rather than in the scriptSig redeem our first parser inspected. Methodology v1.2 fixed a Y-parity key-matching bug that had been dropping about half of our uncompressed-key P2PK; we found it by diffing against Wicked's pipeline after he open-sourced it. The two counts now agree within block-height drift. Our strict P2SH/P2WSH treatment stays a floor by design, and both numbers are true under their respective parsing rules.
Methodology
- Source: our own bitcoind full node, queried via
getblockverbosity 3 (returns each input's prevout, scriptPubKey, and witness inline). - Registry: a chronological chain walk builds a master
revealed_addressesset keyed on address. Every input and every output in every block is inspected. - Exposure rules (mirrors BIP-361 threat enumeration):
- P2PK / bare multisig / P2TR: always exposed at output-create time.
- P2PKH / P2WPKH: reuse-exposed on first spend
(witness contains
<sig> <pubkey>). - P2SH / P2WSH: reuse-exposed on first spend iff the revealed redeem script contains a pubkey + CHECKSIG-family opcode.
- Aggregate: weekly UTXO-set walk via
dumptxoutset; each UTXO's value is summed into its exposure slice if the address appears inrevealed_addresses. - Companion measurement: Wicked Smart Bitcoin publishes an independent on-chain dashboard using BIP-361's conservative parsing rules; their figure tracks the upper bound, ours tracks the rigorous lower bound. The gap is the universe of P2SH/P2WSH spends whose revealed redeem scripts do not contain a pubkey-bearing opcode.
- References: BIP-361 (Lopp et al.), P2PKH on bitcoin.it, our top exposed addresses by current balance.
- Further reading: Quantum and Bitcoin, the rabbit hole on LearnBitcoin.com.