On-Spend Attack (Quantum Front-Running)

Jun 2, 2026 | Updated Jun 2, 2026

An on-spend attack is a theoretical quantum attack that could front-run a pending transaction by deriving a private key from a public key.

What Is an On-Spend Attack?

An On-Spend Attack, also known as Quantum Front-Running, is a descriptive label for a hypothetical scenario involving advanced quantum computers. In many common Bitcoin output types, a public key is protected by a hash within the address. However, for those output types, the public key is revealed to the network when the spending transaction is constructed and published, allowing miners to verify the signature.

In this theoretical model, a quantum adversary would monitor the waiting area where transactions sit before being added to a block (the mempool). If the attacker possesses a future quantum computer capable of running Shor’s algorithm at scale, they could attempt to derive a private key from the revealed public key. This might allow them to create a competing transaction that sends the assets to their own address before the original is confirmed.

How Does an On-Spend Attack Work?

The theoretical danger of this attack lies in a race against time that occurs during the typical ten-minute Bitcoin block interval:

A spending transaction is broadcast to the network. Depending on the script type, the public key becomes visible at this stage.
A quantum attacker identifies the transaction in the mempool and attempts to reverse-engineer the private key. While current technology cannot do this, the threat model assumes a future where this becomes mathematically feasible.
If successful, the attacker uses the derived private key to create a competing spend, attempting to redirect the funds to their own address before the original transaction is confirmed.
Whether the attacker’s transaction is confirmed ahead of the original depends on mempool policy, fee levels, timing, and propagation speed. If it is confirmed first, the original transaction would be rejected as a double-spend, resulting in a loss of funds.

Security and Mitigation

The crypto ecosystem is actively researching and developing mitigations against these theoretical risks:

Post-Quantum Cryptography (PQC): New standards like ML-DSA (formerly Dilithium) are designed to be resistant to quantum calculation. A crypto-agile system can adopt these signatures to help ensure that even if a public key is revealed, it remains computationally out of reach for a quantum computer.
Reducing Long-Exposure Key Risk: Design patterns like BIP-360 (P2MR) remove the key-path spend, so the public key isn’t exposed on-chain during the unspent period. This reduces the long-exposure risk of keys sitting visible on the ledger, though it does not eliminate the short-exposure window that occurs when a spending transaction is broadcast.
General Signing Hygiene: Using a hardware signer to verify transaction details before broadcasting remains good practice, though it addresses signing security rather than the quantum threat itself.

By combining hardware-backed security with evolving protocol standards, the ecosystem builds layers of defense-in-depth to improve resilience against both traditional and quantum-scale threats.