RWA安全报告

Executive Summary The tokenization of Real World Assets (RWAs) represents a significant evolution in financial markets,offering the potential to unlock value by bringing traditional assets on-chain. This convergence oftraditional finance (TradFi) and decentralized finance (DeFi) presents opportunities for improvedefficiency, transparency, and accessibility. This integration also introduces a complex securityparadigm that extends beyond familiar smart contract vulnerabilities. CertiK’s Skynet RWA Framework offers structured criteria to perform due diligence and review therisks associated with RWA protocols highlighted in this report. To illustrate these hybrid threats, thisreport introduces a five-layer security stack, providing a model for understanding risks from theunderlying physical asset to the on-chain smart contract. RWA Leaderboard Key Takeaways - RWA Tokenization Introduces Complex, Hybrid Security Risks Since an RWA token’s value is a claim on an off-chain asset, the attack surface expands beyond smartcontract code. It includes risks oforacle manipulation, custodial and counterparty failures, theunenforceability of legal frameworks, and fraudulentProof of Reserveattestations. - 2025 Losses Highlight Evolving Threat Landscape Direct losses from RWA-specific exploits reached$14.6 millionin H1 2025, following fluctuatingannual losses of$6 millionin 2024and$17.9 million in 2023. The evolution of the threat landscapeis more significant than the direct monetary losses. While earlier years were defined by off-chaincredit defaults, recent incidents show a shift toward on-chain and operational security failures. - TradFi-Backed Protocols Offer Stronger Security The highest-rated protocols in the Skynet RWA framework, such as those offered by entities likeBlackRockandFranklin Templeton, exhibit strong security postures by integrating institutional-gradecompliance, custody, and transparency. This trend highlights the importance of robust off-chain legaland trust frameworks in securing on-chain value. - RWA Growth Concentrates Risk on Select Chains and Protocols The sector's expansion is not evenly distributed and has concentrated both value and risk onto afew dominant blockchains and protocols. The majority of RWA value resides onselect blockchainecosystems, and within a handful of leading products. This concentration means the overall healthof the RWA market ishighly dependent on the security and operational integrityof these few keyplayers and their underlying chains. CertiK’s RWA Client Spotlight The 2025 Skynet RWA Security Report highlights that top-performing platforms have partnered withCertiK for rigorous security audits and reviews. Among these leaders are Ondo Finance, Paxos, andTether, all of whom rank in the top five on the RWA Leaderboard for their commitment to security andintegrity. Ondo Finance Ranks #3 on the leaderboard with a Security Score of 93.58 (AAA).Positions itself as a bridge for institutional-grade products to DeFi, offering tokens backedby short-term U.S. Treasuries and bank deposits. As an early RWA-dedicated platform, its flexible product design and institutionalpartnerships have attracted significant capital. Paxos (PAX Gold) Ranks #4 on the leaderboard with a Security Score of 93.25 (AAA).Issues a regulated physical gold token under New York oversight, with each tokenrepresenting one ounce of vaulted gold.PAXG is a leading example of tokenized gold, offering audited reserves and global liquidityfor a high-market-cap safe-haven asset. Tether (Tether Gold) Ranks #5 on the leaderboard with a Security Score of 92.36 (AA).Issues the XAUt token, with each representing one ounce of vaulted gold.Its robust adoption is fueled by rising demand for assets that can serve as a hedge againstinflation and geopolitical risk. The New RWA Security Paradigm The security framework for RWAs is defined by the interface between trust-minimized DeFi protocolsand trust-based traditional financial systems. Key risks emerge from this interaction because off-chain processes involve human actors, are subject to legal interpretation, and follow operationalworkflows. For instance, the value secured by an audited smart contract can be impacted if an off-chaincustodian becomes insolvent, a legal agreement is not upheld, or a data oracle transmits inaccurateinformation. This requires a comprehensive security assessment that evaluates the asset, legal, andoperational layers alongside the on-chain code. The RWA Security Stack: An Illustrative Model To conceptualize this expanded threat landscape, it is useful to understand RWA security as a five-layer stack. A failure at any single layer can compromise the integrity of the entire structure, leadingto financial loss for token holders. RWA Security Stack Layer 1: The Asset Layer. This foundational layer is the physical or financial asset itself. Risks at this layer arefundamental and predate tokenization. They include fraudulent prope