Bitcoin’s BIP-361 Freeze Proposal Divides Developers as Quantum Debate Reaches Breaking Point
A draft proposal to permanently freeze more than 5.6 million bitcoin sitting in quantum-vulnerable legacy addresses has fractured the Bitcoin developer community along lines that reveal fundamentally different theories of risk. BIP-361, co-authored by Casa CTO Jameson Lopp and five other researchers, would give holders roughly five years after activation to migrate their coins or lose them forever. Within twenty-four hours of the proposal surfacing on GitHub, three distinct counter-arguments had emerged from Blockstream’s Adam Back, BitMEX Research, and Cardano founder Charles Hoskinson, each dismantling a different piece of the proposal’s logic.
What BIP-361 Actually Proposes
The mechanics of BIP-361 follow a three-phase escalation. Phase A, arriving approximately three years after activation, would prohibit new transactions from sending funds to legacy address types, forcing wallets and exchanges to adopt quantum-resistant formats. Phase B, two years later, would invalidate all legacy signatures at the consensus level, rendering any unmigrated coin permanently unspendable. A speculative Phase C, still under active research and carrying no confirmed timeline, would allow holders to prove ownership of frozen funds through zero-knowledge proofs tied to seed phrases, without exposing private keys. The proposal’s authors are explicit that Phase C is not guaranteed.
The technical case rests on a well-documented vulnerability. Older address types, specifically pay-to-public-key outputs and reused pay-to-public-key-hash addresses, expose public keys directly on-chain. Shor’s algorithm, running on a sufficiently powerful quantum computer, could in theory derive the corresponding private key from that public key. The proposal estimates that more than one-third of all bitcoin in circulation falls into this exposed category, including early holdings widely attributed to Satoshi Nakamoto. Lopp’s argument, as reported by CoinDesk, is that dormant coins carrying that exposure represent a systemic risk: better to freeze 5.6 million BTC than allow a quantum-capable attacker to seize them and destabilise the network.
The proposal also builds on earlier work. BIP-360, introduced in February, proposed a soft fork to create a new output type called Pay-to-Merkle-Root, which removes the original key path that makes public keys visible. BIP-361 is the enforcement layer on top of that foundation, providing the deadline mechanism that BIP-360 deliberately left open. At time of writing, Bitcoin’s network shows 470,280 active addresses over the prior twenty-four hours against a hash rate of 863.5 EH/s, figures that reflect a functioning and well-secured network under current classical computing conditions. The concern is what those conditions look like in five to eight years.
The Canary Fund: BitMEX Research’s Counter-Proposal
BitMEX Research published its alternative on Thursday, and the philosophical gap between the two proposals is wider than a technical disagreement. Where BIP-361 sets a fixed deadline regardless of whether a quantum threat ever materialises, the BitMEX canary approach would trigger a freeze only after an attack is proven to have occurred. The mechanism uses a special Bitcoin address constructed with a “Nothing-Up-My-Sleeve Number,” a cryptographic design in which the private key is genuinely unknown but the address is valid and theoretically spendable by any computer powerful enough to run Shor’s algorithm at scale. That address holds a bounty. If funds move out of it, the network has proof that a cryptographically relevant quantum computer exists and the freeze activates automatically.
BitMEX Research argued, as quoted by Cointelegraph, that “it may be appropriate to attempt to mitigate the extent of the freeze as much as possible, even at the cost of greater complexity.” The canary system reframes the entire problem: instead of asking holders to migrate on a speculative timeline, it waits for empirical evidence of a threat and then reacts. The appeal of this approach is that it avoids punishing holders of legacy coins for a threat that may never arrive within any operationally relevant timeframe. The risk, which BitMEX acknowledges, is that the canary triggers after an attacker has already begun draining addresses, meaning the freeze would come as a response rather than a prevention.
CoinDesk framed this accurately as a bet that a quantum attacker will “play nice” by first testing the canary rather than attacking high-value targets directly. That framing is deliberately provocative, but it isolates the genuine weakness of the reactive model. A sophisticated state-level actor with a functioning cryptographically relevant quantum computer has no obligation to target the canary first. The bounty would need to be large enough to constitute a genuine incentive relative to the value of exposed Bitcoin holdings, and that calculation becomes harder to make as Bitcoin’s price rises.
Adam Back’s Third Path and the Hoskinson Challenge
Blockstream CEO Adam Back, speaking at Paris Blockchain Week on Tuesday and engaging on X throughout the week, rejected both the forced freeze and the reactive model in favour of optional, pre-built upgrades. His position, as reported by Cointelegraph, is that “the safest approach is to build optional upgrades that would allow Bitcoin to migrate to quantum-resistant cryptography once it’s needed.” Back was also explicit about his assessment of the current threat: “Quantum computing still has a lot to prove. Current systems are essentially lab experiments. I’ve followed the field for over 25 years, and progress has been incremental.” He simultaneously pushed back against critics who he characterised as financially motivated, stating that “mostly people with investments in PQ startups and stocks are those falsely claiming Bitcoin is doing nothing.”
That dismissal brought a direct challenge from Charles Hoskinson. The Cardano founder focused his critique on the structural problem that neither Back nor the BIP-361 authors had fully resolved: legacy coins. Hoskinson pointed specifically to early pay-to-public-key and reused P2PKH addresses where public keys are already visible on-chain, and asked how developers would secure those coins without a hard fork. He wrote on X: “Not sure how you address the legacy coins without a hard fork.” He added: “But best of luck. We are all watching.” Back did not directly address the hard fork scenario in his initial response, according to Blockonomi’s coverage, instead reiterating that practical quantum threats remain distant. The evasion was notable, because Hoskinson’s point is technically sound. A soft fork can restrict what the network accepts going forward; it cannot retroactively hide public keys that are already recorded on an immutable ledger.
Cardano’s ADA was trading at $0.25, up 4.85% over the prior twenty-four hours at time of writing, a modest gain that likely reflects general market sentiment more than any direct halo from Hoskinson’s public positioning. The observation is worth making nonetheless: the quantum debate is providing Cardano and its founder with a platform to question Bitcoin’s governance, and Hoskinson is using it precisely as a competitive argument rather than a purely technical one.
Tron’s First-Mover Claim Deserves Scrutiny
While the Bitcoin debate was developing, Tron founder Justin Sun used the moment to announce that Tron would become “the first mainstream public chain to deploy NIST-standard post-quantum signature schemes on its mainnet.” Sun’s framing was pointed: “When Bitcoin was still debating whether to freeze quantum-vulnerable addresses, and Ethereum was still forming research committees, Tron was already taking action.” TRX was trading near $0.3257, up 0.7% over twenty-four hours at time of writing, as Sun’s announcement circulated.
The announcement deserves measured scrutiny rather than immediate acceptance. Tron’s post-quantum upgrade plan is precisely that: a plan. Roadmap details remain pending, according to Bitcoin.com News, and the technical challenges are non-trivial. NIST-standard post-quantum signature schemes carry signature sizes roughly ten times larger than current elliptic curve signatures, which would place meaningful strain on Tron’s throughput. Tron hosts more than $80 billion in stablecoins, primarily USDT, and around $5 billion in total value locked, which creates genuine security incentives for the upgrade. But hosting large stablecoin volumes also means that any performance degradation from oversized signatures carries real operational costs. Sun’s first-mover framing is marketing before it is engineering, and the industry should treat it as such until deployment evidence arrives.
The broader competitive dynamic is real even if Sun’s specific claims are premature. post-quantum cryptography moved from theoretical concern to active product strategy among multiple networks earlier this month, with Circle publishing a four-phase roadmap and Solana conducting its own tests. Bitcoin’s internal dispute over methodology is unfolding in full public view while competitors position themselves as already having chosen a direction.
Evaluating the Three Competing Models
Three distinct approaches now sit on the table. BIP-361 imposes a fixed deadline and accepts the collateral damage of freezing coins whose owners may be unreachable, deceased, or simply inattentive. The BitMEX canary system waits for proof of attack before acting, accepting the risk that the proof arrives too late to protect all vulnerable holdings. Adam Back’s optional upgrade path asks holders to act voluntarily without any enforcement mechanism, accepting the risk that a significant share of the exposed 34% of supply simply never migrates.
The case for BIP-361 is the strongest of the three, and the reasoning is straightforward. The optional upgrade model has a demonstrated failure mode: optional security upgrades across large, decentralised user bases consistently achieve incomplete adoption. Bitcoin’s own history with SegWit adoption illustrates this pattern. The canary model’s failure mode is more acute: it is a reactive system designed to handle a threat that, by its nature, rewards the attacker who moves fastest. As Google’s recent quantum research reduced estimated qubit requirements by roughly twenty times, the timeline to a cryptographically relevant machine compressed faster than most models had assumed. A reactive tripwire system calibrated to a slower threat trajectory may simply not have enough reaction time built in.
BIP-361 is not without serious problems. Hoskinson’s hard fork observation remains unanswered. Soft fork mechanics can prohibit spending from vulnerable addresses, but they cannot erase public keys already sitting on-chain, and a sufficiently advanced quantum computer does not need to broadcast a transaction to the Bitcoin network to derive a private key from a visible public key. The attacker’s work happens off-chain. The freeze prevents the attacker from spending the stolen key on-chain, which is meaningful, but it also permanently destroys the holdings of any legitimate owner who missed the migration window without any verifiable quantum threat ever having materialised. That is a property rights argument that Bitcoin’s community will not easily dismiss.
Who Gains, Who Loses, and What Follows
The parties who benefit most from BIP-361’s eventual adoption, if it proceeds, are institutional holders and exchanges who have the infrastructure to run organised migration campaigns and the legal incentive to document compliance. They will complete the migration well inside the five-year window. The parties who lose most are retail holders with coins in old wallets they may have forgotten, heirs of early Bitcoin adopters who never documented their holdings, and anyone whose coins sit in a pay-to-public-key output from the network’s earliest years. That last category overlaps substantially with coins attributed to Satoshi Nakamoto, and the political symbolism of freezing Satoshi’s coins is not a detail the community will treat as incidental.
BitMEX Research’s canary proposal will likely attract support from developers who distrust fixed deadlines and from libertarian-leaning community members who resist any mechanism that can render coins unspendable by protocol rule rather than by owner choice. That coalition is large enough to block BIP-361’s activation if it holds together. The result is that the debate will extend well beyond the current week, probably into a multi-year standards process, during which the actual quantum threat timeline will continue to compress. With 104,704 blocks remaining until the next halving at time of writing, Bitcoin’s attention and development resources will be pulled in multiple directions simultaneously, and BIP-361 will compete for activation energy against other pending protocol work.
The evidence points toward a prolonged standoff rather than a near-term resolution. BIP-361 has identified a genuine and quantifiable risk, constructed a plausible enforcement mechanism, and given the community a concrete proposal to argue about. That is more than the opposing camps have done. The canary model is clever but reactive, the optional upgrade model is voluntary and historically ineffective, and the critics raising hard fork objections have not yet published their own drafts. Until one of those camps produces a counter-proposal with the same specificity as BIP-361, Lopp’s framework remains the most complete answer on the table, even if it is not yet the right one.
