Citi Says Bitcoin’s Quantum Risk Is Higher Than Ethereum’s—Because Coordination Moves Slower

Quantum computing is compressing the crypto risk timeline, and the conversation is shifting from math to management. The key issue isn’t which chain uses “better” cryptography today—it’s which community can pivot fast enough when the threat crystallizes.

Citi’s latest analysis argues Bitcoin is more exposed than Ethereum, and I agree for one reason: coordination speed. Bitcoin’s design ethos prizes stability and broad consensus. That credibility premium cuts the other way when rapid change becomes a safety requirement.

Here’s the technical pinch point. In Bitcoin, spending from an address reveals the public key to the network before the transaction is finalized. That creates a brief front‑run window where a sufficiently powerful quantum adversary could derive the private key and redirect funds. Recent Google research suggests a machine with roughly 500,000 reliable qubits could break the relevant cryptography in minutes. We’re not there yet, but “Q‑Day” estimates have tightened: some peg it around 2032, while others caution 2030 is plausible.

The soft spot isn’t just the mempool window; it’s the stock of targets. Roughly 6.7–7 million BTC sit in wallets with public keys already exposed, making them an immediate bullseye in a true quantum event. That pool likely includes about 1 million early coins attributed to Satoshi Nakamoto, still in vulnerable address formats—worth an estimated $82 billion at current prices. The economic gravity of those UTXOs would turn any migration into a social coordination test, not merely a code rollout.

Ethereum screens better here because its governance has historically shipped frequent protocol upgrades and can marshal validator coordination more flexibly. That said, it is not insulated: if a quantum attacker amasses private keys for roughly one‑third of staked assets, they could disrupt finality or operations. The difference is not immunity—it’s the likely response speed.

The path forward on Bitcoin is known but hard. A shift to post‑quantum signatures would require long lead times, exhaustive testing, and likely a contentious activation—precisely where Bitcoin’s conservative process slows. Proposals like BIP‑360 and BIP‑361 point in the right direction, but they need a social runbook attached: activation thresholds, wallet migration tooling, and incentives for moving funds out of exposed scripts ahead of time. Without that, the first credible quantum milestones will trigger a scramble—fee spikes, rushed key rotations, and ethically messy “white‑hat sweeps” competing with outright theft.

This is where psychology and business incentives intersect with protocol design. Exchanges, custodians, and wallet providers will anchor user behavior. If they pre‑commit to quantum‑safe defaults, staged migrations, and clear deadlines, the network’s social layer can absorb the shock. If everyone waits for proof the sky is falling, liquidity will bottleneck and the mempool will become a triage queue.

Two takeaways for practitioners: - Treat adaptability as a risk‑adjusted asset. Ethereum’s cadence buys it optionality; Bitcoin must manufacture it via earlier consensus on an upgrade path. - Reduce exposed‑key surface area now. Wallet hygiene, migration playbooks, and ready‑to‑ship PQ‑ready outputs should exist before the 2030–2032 window tightens further.

As Fireblocks’ Michael Shaulov put it recently, Bitcoin’s quantum challenge is mostly a coordination problem. The market will reward the chain that rehearses the upgrade—not the one that waits to improvise it.