27.21% of XRPL accounts have never signed a transaction and have no public key exposed.
Ripple presented a roadmap in four phases with the aim of completing the post-quantum transition
An XRP Ledger validator known as Vet this month published a forensic analysis of the protocol’s quantum exposure, after scanning the entire history of its 7,810,364 accounts.
The results, reproducible through the public repository, indicate that 76.82 billion XRP are in accounts quantum exposedbut that the 96% of that volume belongs to active accounts with the ability to migrate.
Vet operates under a pseudonym, but its identity as a participant in the ecosystem is verifiable: it maintains an active validator registered on XRPScan under the domain xrp.vet, and its technical analyzes are regularly cited by specialized media.
According to the researcher, an account is quantum vulnerable if and only if it has ever signed a transactionwhich exposes your public key in the transaction history. Accounts that never issued a signed transaction do not have a visible public key and therefore do not represent an exploitable attack vector.
The analysis establishes an operational distinction between present risk and structural risk. Vet points out that only the 0.03% of the total currency is in dormant accounts with exposed and unrecoverable keys — those whose owners died, lost their keys or were permanently locked out of access. In contrast to Bitcoin, where Google Quantum AI estimates that a quantum computer could derive a private key in less than nine minutes and where about 6.9 million BTC have public keys visible on-chain, XRPL has a centralized key rotation mechanism that allows signing authority to be updated without moving funds or changing address.
The dilemma of sleeping funds
The most delicate finding of the analysis is not technical, but governance. vet suggests that the community must define what to do with the funds on accounts whose holders cannot complete the migration: allow a quantum attacker to take them over, or intervene collectively. The researcher describes it as the “litmus test” (or litmus test) of the social layer of any network in the face of the quantum threat, and warns that there is no technical answer that automatically resolves this dilemma.
In parallel to the debate generated by the analysis, Ripple presented on April 20 a roadmap in four phases to adapt the XRP Ledger to a post-quantum scenario, with the aim of completing the transition before 2028. The emergency phase includes the forced migration of accounts to quantum-resistant schemes through zero-knowledge proofs, in case “Q-Day” arrives earlier than expected. Engineer Denis Angell already deployed ML-DSA (CRYSTALS-Dilithium) signatures, the NIST-approved standard, on the AlphaNet testnet in December 2025, although the mainnet has not migrated.
Vet concludes that for an account to be truly secure and operational in a post-quantum environment, multi-signature setup with active key rotation is required. Single key rotation, he points out, only protects until the moment the funds need to be spent — at which point the key is exposed again.