Coinbase Flags Address Reuse as Core Bitcoin Vulnerability in Quantum Threat Report

Coinbase has published a quantum computing threat report identifying significant exposure risks for $BTC holders who reuse cryptocurrency addresses — a practice that leaves a wallet's public key exposed on-chain and potentially readable by a sufficiently powerful quantum computer. The report puts a named mechanism on a risk the industry has long discussed in the abstract.

Why Address Reuse Is the Specific Problem

When a Bitcoin address is used more than once, the public key associated with it becomes visible on the blockchain. Under current cryptographic assumptions, deriving the corresponding private key from a public key is computationally infeasible. Quantum computers, however, could run Shor's algorithm against elliptic-curve cryptography — the signature scheme underpinning Bitcoin — fast enough to reverse that relationship.

Addresses that have never spent funds expose only an address hash, not the public key itself, keeping them one layer further from direct quantum attack. Address reuse strips that buffer away. Coinbase's report, as characterized by Crowdfund Insider, frames the exposure as significant rather than theoretical.

Who Is Holding the Bag

The more pressing question is who actually sits behind reused addresses. Long-dormant wallets from Bitcoin's early years, exchange cold-storage addresses used repeatedly for operational convenience, and retail holders who never rotated addresses after spending are all candidates. Coinbase did not, based on available reporting, quantify exactly how much $BTC sits in reused-address wallets — but flagging it as a significant risk implies the exposure is not trivial.

What This Means for the Protocol

Bitcoin's base layer has no built-in migration mechanism to quantum-safe signature schemes. Any fix would require a coordinated soft or hard fork, a process that historically takes years to socialize, draft, and deploy. Coinbase's decision to publish a threat report — rather than quietly raise the issue in developer forums — applies pressure at the market layer, where institutional clients and retail holders alike can see the warning. Whether that pressure accelerates protocol-level work remains to be seen.