RWA protocol exploits total $14.6M in H1 2025, outpacing 2024

Blockchain security firm CertiK warns that protocols tokenizing real-world assets (RWAs) have become a growing target for attackers, with RWA-specific exploits costing projects $14.6 million during the first half of 2025.

That H1 2025 toll is more than double the roughly $6 million in RWA protocol losses recorded for the whole of 2024, and brings total RWA exploit losses closer to—but not yet exceeding—the $17.9 million seen in 2023.

RWA tokenization mints claims on tangible, off‑chain assets onto blockchains to broaden investor access and tradability. CertiK’s analysis says the current wave of incidents stems from a mixture of on‑chain failures and operational breakdowns, creating a different — and broader — threat profile than traditional smart‑contract attacks.

The RWA market itself expanded rapidly in early 2025, growing by roughly 260% in the first half of the year and topping an estimated $23 billion in aggregate valuation by early June, according to market research cited alongside CertiK’s report. Tokenized private credit and tokenized U.S. Treasury debt made up the majority of that growth.

CertiK highlights that RWA systems create “hybrid” security risks because token values ultimately represent claims on off‑chain assets and rely on human processes, legal arrangements and external counterparties. This five‑layer stack—spanning custody, oracles, legal frameworks, operational workflows and on‑chain logic—means a single weak link can expose the whole construct.

Specific vulnerabilities the report flags include oracle manipulation, custodial or counterparty failures, ambiguous or unenforceable legal terms, and misleading or fraudulent proof‑of‑reserves statements. These weaknesses have been exploited in recent high‑profile incidents.

Two of the largest RWA losses in 2025 illustrate the risks. Restaking protocol Zoth lost about $8.5 million in March when a compromised private key led to a major operational failure, and a separate March incident exploited a contract logic flaw to mint roughly $385,000 of undercollateralized tokens. Loopscale suffered an approximately $5.8 million loss in April after an oracle price‑manipulation attack, though it later recovered around $2.8 million of the stolen funds.

As institutional interest and regulatory clarity push more traditional assets onto blockchains, CertiK’s findings suggest protocol teams, custodians and auditors must adopt stronger operational controls, more robust oracle solutions and clearer legal safeguards to reduce the enlarged attack surface that RWA tokenization creates.