What happens to BTC/ETH if secp256k1 has a backdoor

Question

I have been learning about ECDH and that the difficulty of the discrete logarithmic problem depends on the particular curve. The NSA story around Dual_EC_DRBG did not help. Since its Abelian, if someone has hack x (P) = Q ... then the backdoor would be a 1/hack x (Q) = P.Wikipedia: secp256k1 - " It's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve."So my question is what is the doomsday scenario? Wallets are set to hashes of Q (public key derived from P) so this should prevent anyone from having the Q of the ECDH to be able to back into the private key P? Is this accurate?

yonz · Accepted Answer

Update on this, the public key is visible after the first transaction is signed by a wallet so the hash protection level is gone. After learning through key pair generation and signing process, I have come to the conclusion that a backdoor would allow for an attacker to transfer everyone's money into a wallet by signing for all public keys.The attacker wouldn't even need a 1/hack (Q) -> P just need to be able to sign on behalf of P.