Bitcoin developers are debating a radical change in how the network would respond to a future quantum computing threat: Don’t freeze vulnerable coins unless someone proves the threat is real. But there is a catch: the proposal assumes that the attacker will reveal his ability to obtain a bounty instead of maximizing his profits through theft.
A proposal published this week by BitMEX Research describes a “canary” system that would trigger a network-wide restriction on legacy Bitcoin wallets only if a quantum-capable attacker demonstrates it on-chain, replacing previous plans to impose a pre-programmed freeze years in advance. At its core, the proposal is a “wait and react” strategy.
It works by placing a small number of bitcoins in a special address that only a quantum-capable attacker could unlock, with any spending from that address serving as public proof that the threat has arrived and automatically triggering a network-wide freeze of old wallets.
Bitcoin wallets rely on digital signature systems that are secure compared to classical computers but could be broken by advances in quantum computing, and a recent Google research paper lowered estimates of the resources needed, with some observers now pointing to the end of the decade as a potential risk window.
The approach is intended as an alternative to BIP-361, a controversial proposal that would impose the same restrictions over a fixed five-year time frame regardless of whether quantum computers are actually capable of attacking the Bitcoin blockchain. BIP-361 would phase out vulnerable addresses over several years before completely invalidating legacy signing systems, leaving any unmigrated coins permanently frozen.
Critics have called this result “authoritarian and confiscatory,” arguing that it undermines Bitcoin’s fundamental principle that control rests solely with private key holders.
On top of BitMEX’s detection mechanism is a financial incentive. Users could contribute bitcoins to the address, creating a bounty that would reward the first entity to publicly demonstrate a quantum attack rather than quietly emptying vulnerable wallets. Contributors would not need to permanently give up their funds, as the structure allows withdrawals at any time.
The proposal also introduces a “security window” designed to make stealth attacks more difficult. Vulnerable coins could still circulate, but the recipient would not be able to spend them for an extended period of time, potentially around a year. If the canary is triggered during this window, these coins will be retroactively frozen, increasing the risk for any attacker attempting to quietly mine funds.
There is a trap
The canary reduces the risk of prematurely disrupting users, but it relies on the uncomfortable gamble that the first entity capable of breaking Bitcoin would command a bounty rather than execute what could be the largest heist in the network’s history and walk away with millions of bitcoins.
This bet flies in the face of the kind of worst-case scenario that Bitcoin’s design has always tried to prevent, and the network has always shown little appetite for undoing such events after the fact. Ethereum’s response to the 2016 DAO hack, a hard fork that reversed the theft and split the network into Ethereum and Ethereum Classic, is the kind of protocol-level intervention that Bitcoin culture has long resisted.
If the gamble fails, Bitcoin risks the worst of both worlds: the catastrophe it was trying to avoid and the realization that a fixed-timetable defense would have stopped it.
