The once-hyped market for tokenized real-world assets (RWAs) is facing a new kind of stress test: hackers. A fresh report from blockchain security firm CertiK shows cybercriminals are shifting their focus to this fast-growing corner of crypto, exposing vulnerabilities at the core of RWA technology.
$14.6M Lost to RWA Hacks in Just Six Months
According to CertiK’s Skynet RWA Security Report, the sector lost $14.6 million to hacks and fraud between January and July 2025—nearly matching all the losses recorded in 2023.
The majority of RWAs sit on Ethereum and a handful of dominant protocols. This concentration, CertiK warns, raises systemic risk: a single major exploit could ripple through the entire $13.9 billion RWA market.
From Off-Chain Risks to On-Chain Attacks
RWA-linked crime has changed dramatically over the past two years. Early risks largely stemmed from off-chain defaults—think borrowers failing to repay tokenized loans.
Now, the threats are increasingly technical. CertiK notes that every major loss in 2025 has come from on-chain and operational failures, not traditional financial defaults.
“The first half of 2025 shows a complete shift: losses jumped to nearly $14.6 million, and were caused entirely by on-chain and operational failures,” CertiK wrote.
Why RWAs Are a Unique Target
The challenge for RWA projects is their hybrid nature. They connect traditional finance (TradFi) assets—such as gold, real estate, or U.S. Treasuries—with blockchain through oracles, which act as data bridges.
If an oracle is compromised, smart contracts can misprice or misrepresent the assets backing the token. That can cause the tokenized security to unravel, regardless of whether the underlying asset is rock solid.
Real estate-backed RWAs face another issue: illiquidity. Slow-moving markets make it easier for attackers to exploit oracle price feeds.
The Role of TradFi in Securing RWAs
Interestingly, CertiK doesn’t just recommend stronger smart contract security. It also highlights the importance of solid legal frameworks and institutional oversight. A poorly drafted agreement, the report warns, could render an entire RWA unenforceable after a hack.
This is where TradFi firms like BlackRock and JPMorgan come in. With decades of experience in compliance, custodianship, and risk management, traditional institutions are better equipped to handle these issues.
But there’s a problem: JPMorgan recently suggested that institutional interest in RWAs may be fading, which could leave crypto-native startups carrying the bulk of the market. Without robust security practices, that shift could make the sector even more vulnerable.
Outlook: Staying Ahead of the Threats
For now, CertiK’s report offers a roadmap. Stronger smart contract audits, reliable oracle designs, airtight legal contracts, and active TradFi involvement are all part of the solution.
RWAs may represent one of crypto’s most promising bridges to mainstream finance—but as the $14.6M in losses shows, they’re also one of the most tempting targets for hackers.
Until the sector proves it can outpace these attacks, RWA projects will remain on high alert.
