Hackers are increasingly targeting tokenization protocols for real-world assets (RWA), threatening the rising institutional interest in this emerging blockchain sector.
Tokenization of real-world assets involves minting financial and physical assets on a secure blockchain ledger, enhancing investor access and trading possibilities for these assets.
According to a report by the blockchain security firm CertiK, shared with Cointelegraph, RWA-specific exploits resulted in losses reaching $14.6 million in the first half of 2025.
This amount represents more than double the $6 million lost to RWA protocol exploits in 2024 and could exceed the $17.9 million lost in 2023.
CertiK indicated that these RWA exploits were characterized “entirely by onchain and operational failures,” reflecting a significant shift in the RWA threat landscape from 2023 to 2025.
Related: Tokenized stocks rise 220% in July, reminiscent of ‘early DeFi boom’
The uptick in malicious activities in this sector coincides with a more than 260% surge in the RWA market during the first half of 2025, exceeding $23 billion in total valuation by June 5, as reported by Cointelegraph.
Tokenized private credit has led the RWA market surge, holding approximately 58% of the market share, followed by tokenized U.S. Treasury debt at 34%, driven by “increased participation from major industry players,” as “regulatory frameworks become clearer,” according to a Binance Research report shared with Cointelegraph.
Related: $2.1B crypto stolen in 2025 as hackers shift focus from code to users: CertiK
RWA tokenization presents “hybrid” security risks due to offchain assets
RWA protocols introduce more intricate “hybrid” security challenges, as the value of an RWA token relies on offchain assets, broadening the attack surface beyond just smart contracts.
Each element of this five-layer security framework can present a potential vulnerability, according to CertiK’s report, which states:
“Key risks emerge from this interaction because offchain processes involve human actors, are subject to legal interpretation, and follow operational workflows.”
Risks include manipulations of oracles, custodial failures, issues with counterparty dependencies, “unenforceability of legal frameworks, and fraudulent proof of reserves attestations,” the report added.
The largest exploit among RWA protocols in 2025 was suffered by the RWA restaking protocol Zoth, which lost $8.5 million due to a “classic operational security failure”—a breached private key on March 21. In the same month, another attacker exploited a smart contract logic flaw, minting $385,000 worth of assets without adequate collateral.
Loopscale experienced the second-largest hack, amounting to $5.8 million on April 26, caused by blockchain oracle price manipulation. However, in a positive development, the protocol managed to recover $2.8 million of the stolen funds by April 29, according to Cointelegraph.
Magazine: TradFi is building Ethereum L2s to tokenize trillions in RWAs — Inside story
