@kaditang/quantum-exposure
v0.3.0
Published
Is your wallet quantum-exposed? Check whether an Ethereum, Bitcoin, or Solana address has already revealed its secp256k1 public key on-chain (harvest-now-decrypt-later), how much is at risk, and whether it's migratable in place. Free, zero-dep, public RPC
Maintainers
Readme
quantum-exposure
Is your wallet quantum-exposed? One command tells you whether your Ethereum, Bitcoin or Solana address has already revealed its public key on-chain — and is therefore a harvest-now, decrypt-later target for a future quantum computer.
npx @kaditang/quantum-exposure 0xYourAddress # Ethereum
npx @kaditang/quantum-exposure bc1p… # Bitcoin (Taproot, P2PKH, segwit…)
npx @kaditang/quantum-exposure <solana-address> # Solana (the address IS the pubkey)No install needed — or try the hosted page: 402sentinel.com/quantum.
⛔ 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
Public key EXPOSED — 5.6948 ETH at risk.
signals: exposed=true | outgoing_txs=5898 | balance=5.6948 ETH | at_risk=5.6948 ETH
→ Move funds to a FRESH address you have never spent from, single-use until PQC wallets ship.Why this matters
Ethereum signs with secp256k1 (ECDSA), which Shor's algorithm breaks on a large enough quantum computer. The catch specific to blockchains: the ledger is permanent and public, so harvest now, decrypt later is trivial. But your public key is hidden behind your address hash until the first time you SEND a transaction — the signature then reveals it forever.
So the single most important question for any address is: has its key been exposed yet, and how much is sitting behind it? That's what this checks.
What it reports
| decision | meaning |
| --- | --- |
| ✅ safe-for-now | Never spent → public key still hidden. Quantum-safer; keep it cold. |
| ⛔ exposed | Has spent + holds funds → key is public, funds harvestable. Migrate. |
| 🟡 exposed-empty | Key public but ~0 balance → nothing at risk now; don't reuse it. |
| 🔄 smart-account | Contract / no single EOA key → migratable in place via account abstraction. |
Handles EIP-7702 correctly: a delegated EOA still has an exposed secp256k1 key (it's not a contract), but it gains signature agility to delegate to a post-quantum verifier.
Use it in code
import { scan, scanAddress, scanBitcoin, classify } from "@kaditang/quantum-exposure";
await scan("0x…"); // auto-dispatches: Ethereum (0x…) vs Bitcoin
await scan("bc1p…"); // Bitcoin — Taproot, P2PKH, P2WPKH, P2SH, P2WSH
// or classify from your own data (no network):
classify({ outgoingTxs: 42, balanceEth: 3, code: "0x" });Ethereum (via a public RPC) — handles EIP-7702 delegated EOAs. Bitcoin (via mempool.space)
— Taproot (bc1p) outputs are exposed by design; other types expose the key only once spent from.
Solana (via a public RPC) — the address is a 32-byte Ed25519 public key, so a normal wallet
is exposed from creation (no "never-spent = safe" state); program-derived / token accounts have no
keypair. Set ETH_RPC / BTC_API / SOL_RPC to use your own nodes.
Not panic — planning
A cryptographically-relevant quantum computer is not imminent (current estimates put it around the end of the decade). This is a planning tool: know your exposure now, so migration is a choice and not a fire drill. Informational, not financial advice.
Built by the team behind 402Sentinel — on-chain risk gates for the agent economy.
