Web3 builders are dangerously complacent about quantum risks | Opinion

Web3 is hurtling toward a cliff edge and pretending the road ahead is straight. The industry’s working assumption that quantum computers are decades away from breaking crypto was shattered this year.

Warning one: Microsoft reveals its topological-qubit chip that finally solves the stability problem and puts fault-tolerant hardware on a visible timeline. Warning two: Google’s 105-qubit Willow processor shows an hour-long error-corrected operation, orders of magnitude better than 2024’s record. Warning three: Chinese researchers published peer-reviewed results on the 105-qubit Zuchongzhi 3.0 processor running an 83-qubit random-circuit sampling task. Usually, that would keep the world’s fastest classical supercomputer busy for an estimated 5.9 billion years, but this works out to roughly a million-fold advantage over previous quantum-speed records.

These are not science-fair stunts; they’re clear proof-points (and warnings) that Shor-scale machines that could crack elliptic curve and RSA keys are a ‘when’, not an ‘if’, inside this decade. Need more evidence? 

The United States National Institute of Standards and Technology (NIST)  has already finalized three post-quantum algorithms (Dilithium, Kyber, and SPHINCS+), and a White House directive now requires federal agencies to begin migrating to these new standards.

The tides are already turning, and the question of whether quantum will rewrite the rules of play is irrelevant. The real question is: Will web3 be able to rewrite itself before it’s too late?

Blockchain is a sitting duck

Enterprises can at least rotate keys and tuck away their past under post-quantum virtual private networks (VPNs)—blockchains cannot. Every elliptic curve digital signature algorithm (ECDSA)-signed transaction ever broadcast lives immortalized on a public ledger. 

Consider for a moment that a future adversary runs Shor’s algorithm at scale:

1. They can forge ownership of dormant coins, including roughly 30% of the Bitcoin (BTC) resting in addresses whose public keys are already exposed from the moment they make a transaction.
2. They can rewrite settlement history, replacing the signature on an old block and then reordering or stealing from the chain tip.
3. They can drain smart contract treasuries just by presenting valid post-dated signatures; no noise and no need to break the protocol.

The popular rebuttal that a blockchain can simply implement a hard fork to a quantum-safe curve later is a hopelessly naive statement and endeavor. A fork protects nothing that was signed yesterday, and a mass key-rotation is a user experience nightmare that will certainly strand both users and liquidity.

On top of this, less than one in 10 of the top 50 chains even mention quantum migration in their docs, and the recent Axis Intelligence report drives the cost of that neglect home. More than $2 trillion already sits on chains with zero quantum contingency, and a single Shor-scale strike could wipe up to $3 trillion overnight.

This kind of financial extinction-level event needs to be taken seriously with only a handful of years left on the clock. The complacency tax here will be a price that cannot be recouped.

It’s not all doom and gloom

The good news is that it’s possible to act now without ripping out consensus engines; no hard forks here. No protocol civil war is required to establish quantum resilience.

There’s already a roadmap in place: a peer-reviewed IEEE conference paper ‘Towards Building Quantum Resistant Blockchain’, which we co-authored with prominent blockchain and mathematics experts from the Department of Mathematics and Statistics at Mississippi State University. Presented at ICTCET 2023 in Cape Town, it’s already being piloted inside private GovTech networks, proving the framework works in production.

To start with, chains can begin quantum-shielding every new transaction today. Add hybrid signatures that keep the familiar elliptic curve, append a Dilithium signature, and let nodes verify both. With a single SDK upgrade, future transfers become immune to Shor-scale forgery and the clock starts working in the network’s favor rather than against it.

Next, and as frustrating as this can be for some, custody needs to get boring. Validator, bridge, and multisig keys belong in hardware that already implements the NIST lattice algorithms (or an equivalent encapsulation scheme). 

Nine-figure exploits nearly always begin with key theft, so common sense dictates that moving the crown jewels into post-quantum boxes removes that low-hanging fruit from malicious hands.

With new transactions protected and keys locked down, this should shrink the historical blast radius. Then, the housekeeping can begin. Using chain analytics can surface exposed pay-to-public-key (P2PK) output, reused addresses, and half-forgotten multisigs. To top it off, offering small incentives to users to transition their assets to post-quantum scripts, and suddenly, the risk of future losses is reduced to a minimum.

Dangerous complacency vs proactivity 

What will sink projects is the temptation to claim they are ‘quantum-ready’ without actually incorporating the code needed to thoroughly prepare for the future. The quantum-secure algorithms and solutions are already here, but implementing them is half the battle.

Quantum safety is now a foundational task that will only result in technical debt with compounding interest if left to handle at a later date. Post-quantum migration is a marathon, an event won by starting early and keeping steady, not sprinting the last mile to secure last place. 

Microsoft, Google, and the Chinese Academy have compressed the timeline, but NIST has handed over the toolset. The only missing ingredient is urgency. 

Chains that act in 2025 will own the security narrative needed to keep their decentralized applications alive after ‘Q-Day’, while chains that wait will spend the next bull market explaining why user funds vanished into a quantum black hole.

Web3 was born from the idea that trust lies in math, not intermediaries. Quantum computing is about to test that creed. But the good news is that the math can evolve; it must, but only if builders stop sleepwalking and start shipping. 

The window is now measured in years, not decades, but there’s still time to use it.

David Carvalho

David Carvalho is the founder, CEO, and Chief Scientist of Naoris Protocol, the world’s first decentralized security solution powered by a Post-Quantum Blockchain and Distributed AI, backed by Tim Draper and the Former Chief of Intelligence of NATO. With over 20 years of experience as a Global Chief Information Security Officer and ethical hacker, David has worked at both technical and C-suite levels in multi-billion-dollar organizations across Europe and the UK. He is a trusted advisor to nation states and critical infrastructures under NATO, focusing on cyber-war, cyber-terrorism, and cyber-espionage. A blockchain pioneer since 2013, David has contributed to innovations in PoS/PoW mining and next-gen cybersecurity. His work emphasizes risk mitigation, ethical wealth creation, and value-driven advancements in crypto, automation, and Distributed AI.