Key Highlights
- A widely shared claim says only 0.03% of the XRP supply is exposed to quantum attack risk.
- The number refers to a narrow set of dormant XRPL accounts with visible public keys.
- Most XRP may still face future risk unless users and the network migrate in time.
A figure making the rounds across crypto media this week claims that just 0.03% of the total XRP supply is exposed to quantum computing risk. The number originated from XRPL validator Vet, who shared an on-chain analysis on X.
This analysis was quickly picked up by Coingape, Crypto News Flash, MEXC, and several other outlets. On its face, the stat paints XRP as remarkably well-insulated from one of the most discussed long-term threats to blockchain security. But a closer look shows the claim is technically accurate under a very specific definition — and misleading under any broader one.
What the number actually measures
The 0.03% figure refers to dormant XRPL accounts whose public keys are already visible on-chain but whose owners are no longer active to defend them. According to the analysis, roughly 300,000 XRP accounts holding a combined 2.4 billion XRP have never transacted, meaning their public credentials have never been revealed. Those accounts are considered resistant to quantum attacks because an attacker needs an exposed public key to derive the private key using Shor’s algorithm.
A separate review identified only two inactive accounts with visible public keys holding a notable combined balance — around 21 million XRP. That sliver of permanently exposed, unrecoverable supply is where the 0.03% comes from.
Why the framing is incomplete
The claim rests on a narrow definition of “at risk.” Any XRPL account that has ever signed a transaction has its public key permanently recorded on the ledger. That means the vast majority of circulating XRP — held in active wallets, exchange hot wallets, and institutional treasuries — technically has exposed public keys too. The argument for excluding them is that active users can rotate keys or move funds if a quantum threat materializes. XRPL supports protocol-level key rotation without changing wallet addresses, a feature Grayscale and Google Quantum AI researchers have both flagged as a genuine structural advantage over Bitcoin and Ethereum.
But “can rotate keys” is not the same as “is safe.” It assumes users are paying attention, that the quantum transition happens gradually, and that the network has time to coordinate upgrades before an attack becomes feasible. None of those assumptions are guaranteed.
The caveat that keeps getting buried
The bigger issue, flagged in Google’s own recent research and echoed by Vet himself, is that key rotation alone may not be sufficient. Google’s findings suggested that a sufficiently powerful quantum computer could break elliptic curve cryptography in under nine minutes for some networks, raising the specter of “on-spend” attacks — where an attacker intercepts a transaction in the mempool, derives the private key from the newly exposed public key, and forges a replacement transaction before the network confirms the original. In that scenario, the ability to rotate keys after the fact offers no protection.
XRPL developers are aware of this. In December 2025, AlphaNet introduced CRYSTALS-Dilithium, now standardized as ML-DSA, adding quantum-resistant signatures for transactions, accounts, and consensus. A separate proposal for “single-use keys” — signing keys automatically discarded after one transaction — is also in developer discussion. But none of these features are live on mainnet yet. The XRPL main network still runs on ECDSA and Ed25519, the same elliptic-curve schemes that would fall to a mature quantum attacker.
The source question
It’s also worth noting where the 0.03% figure comes from. It’s not a peer-reviewed audit or an official Ripple or Grayscale report. It’s a validator’s analysis shared on X and then aggregated by crypto news sites, most of which reprint the same underlying tweet with minor rewording. The raw account numbers appear consistent and plausible, but the “0.03% at risk” framing is a characterization, not a formal risk metric.
The honest read
So is the claim true? The underlying data — 300,000 never-used accounts holding 2.4 billion XRP, two notable dormant exposed-key whales, roughly 0.03% of supply in the unrecoverable bucket — appears accurate. What’s misleading is the implicit suggestion that the other 99.97% is therefore safe. A more precise version of the claim would read: “0.03% of XRP supply sits in dormant accounts that cannot be defended if quantum computing matures. The rest depends on whether users, developers, and validators act in time.”
XRPL is genuinely ahead of most major blockchains on post-quantum preparation. Google’s research, Grayscale’s latest report, and the ongoing AlphaNet testing all support that view. But “ahead of the pack” is not the same as “quantum-safe,” and a 0.03% headline risks conflating the two.
For XRP holders, the practical takeaway hasn’t changed: the threat isn’t imminent, the mainnet isn’t quantum-resistant yet, and the path to migration — while clearer on XRPL than almost anywhere else — still depends on decisions that haven’t been made.
Also Read: SBI Ripple Asia Unveils XRP Ledger Token Platform
