What Could Go Wrong: The Risks of Investing in Tokenized RWAs

The RWA tokenization narrative is compelling. 24/7 trading. Faster settlement. Programmable compliance. Privacy. Access to DeFi liquidity. Lower minimums. All true. All real.

This is the third article in a three-part series. Article 1: Canton Is Not a Blockchain - Here’s Why That Matters for RWAs · Article 2: How Tokenized RWAs Connect to DeFi

But every new asset class comes with a risk profile that does not always surface in the marketing materials. If you are an institutional investor, or an advisor to one, evaluating tokenized RWA products, here are the risks that deserve serious scrutiny before you sign anything.

Smart Contract Risk

This is the risk that gets the most attention and the least understanding.

Smart contracts are code. Code has bugs. When those bugs are in a $500M lending protocol, the cost is real and immediate. This is not theoretical. DeFi protocols have lost billions to exploits rooted in smart contract vulnerabilities. The categories include reentrancy bugs, oracle manipulation, and logic errors in liquidation engines.

Tokenized RWA protocols are DeFi protocols. They have smart contracts. They carry the same class of risk, compounded by the fact that they also interface with off-chain asset custody. Onyx by J.P. Morgan, Aave’s GHO stablecoin, and Compound’s RWA markets have all been audited extensively and still required emergency parameter changes or pause functions within months of launch.

The question is not whether a protocol has been audited. The question is whether the auditor found the categories of bugs that actually get exploited. Most audits are point-in-time. Most exploits come from interactions between contracts that were not tested together.

What to do: Ask for the audit reports. Read the finding summaries, not just the executive summary. Ask whether the protocol has a bug bounty. Ask what the pause mechanism is and who controls it. Understand that audited does not equal safe.

Bridge and Cross-Chain Risk

If the RWA strategy involves moving assets across chains, for example, using a tokenized Treasury on Canton as margin to mint a stablecoin that bridges to Ethereum, there is a bridge in the middle.

Bridges are the most exploited infrastructure in crypto. Ronin ($625M), Wormhole ($320M), Nomad ($190M), Harmony ($100M). The pattern is consistent: a bridge contract has a vulnerability, an attacker finds it, and the bridge drains. Every bridge is a target because every bridge holds assets from multiple chains in a single contract.

The risk is asymmetric. A bridge can work correctly for years and then lose everything in a single night. The returns from bridging rarely compensate for the downside risk of a catastrophic failure.

What to do: Understand exactly which bridges are in the flow. Prefer bridges with verified proofs, multi-sig governance, and time delays on large withdrawals. Treat any strategy that requires bridging with the same counterparty risk sensitivity you’d apply to any other high-risk infrastructure.

Custodial and Asset Recovery Risk

Tokenization creates a digital representation of an off-chain asset. The off-chain asset still needs to be held somewhere, by a custodian, a trustee, or the issuer itself.

This creates a custodial dependency that does not exist in native crypto assets. If you hold ETH, the blockchain is the ledger. If you hold a tokenized U.S. Treasury, there is a custodian holding the actual bond, and the token is a claim on that custodian’s books. If the custodian goes bankrupt, enters administration, or has internal record-keeping failures, the token may or may not be enforceable against the custodian’s estate. The legal framework for tokenized asset custody in a default scenario is still largely untested in most jurisdictions.

What to do: Ask who the custodian is. Ask what the legal documentation says about ownership in a default scenario. Ask whether the custodian’s obligations are dischargeable in bankruptcy. Check whether the tokenization platform has a regulatory license or structured its legal wrapper in a way that provides investor protections.

Regulatory and Classification Risk

The regulatory status of tokenized RWAs varies significantly by jurisdiction and asset type, and it is still evolving.

In the U.S., the SEC’s treatment of digital asset securities remains contested despite recent guidance. In Europe, MiCAR provides a clearer framework but is still bedding down. In Asia, the regulatory treatment ranges from permissive (Singapore) to restrictive. A tokenized bond issued in one jurisdiction may not have the same legal status in another.

This creates pricing risk, transferability risk, and liquidity risk that are directly tied to regulatory classification. A fund that buys tokenized credit as a “miscellaneous” asset class may find it reclassified as a crypto asset under new rules, triggering compliance obligations or forced liquidation.

What to do: Understand the legal wrapper of the specific product. Get external legal counsel that specializes in digital assets in the relevant jurisdictions, not just the issuer’s counsel. The cost of that opinion is small relative to the position.

Liquidity Risk in Practice

The promise of tokenization includes 24/7 trading and faster settlement. This is real, but it is not the same as deep, reliable liquidity.

Secondary markets for tokenized RWAs are still thin. Most tokenized credit is held to maturity by buy-and-hold investors. The intraday liquidity you see on a tokenized product’s platform is often supported by the market maker’s willingness to quote, which can evaporate in stressed market conditions, just as it did for money market funds in 2022.

The on-chain liquidity available in DeFi for stablecoins and liquid tokenized credit is not the same as the liquidity available for illiquid RWA positions held to maturity. In a stressed scenario, the DeFi liquidity is real only for the liquid parts of the position.

What to do: Model the liquidity of the position under a stress scenario, not just normal conditions. Understand the redemption process. Understand who the market maker is and what their obligations are.

AML/KYC Contamination Risk

This is the risk that doesn’t appear in any protocol’s marketing materials.

If you provide liquidity to a DeFi pool such as a lending market, a stablecoin liquidity pool, or a yield strategy, you are pooling your capital with every other participant in that protocol. You do not control who else is in the pool. You cannot vet their wallets, their counterparty history, or their jurisdictional origin.

If a sanctioned entity, a wallet linked to a money laundering operation, or a party in a jurisdiction under enhanced OFAC scrutiny interacts with the same pool you are providing liquidity to, your position can become contaminated by proximity. On-chain analytics firms like Chainalysis, Elliptic, and TRM Labs flag wallet clusters that interact with flagged addresses. A liquidity provider in a contaminated pool can receive tainted tokens, tokens that have passed through wallets tied to bad actors, and find themselves unable to deposit those tokens into regulated products, unable to bridge them to compliant platforms, or subject to compliance review from their own legal and compliance teams.

This is not a theoretical scenario. It has happened to institutional participants in Ethereum DeFi. A treasury or fund manager providing stablecoin liquidity to a Curve pool found their LP tokens flagged by the exchange they were trying to use. The reason: a known bad actor had interacted with that pool in the prior 72 hours, and the exchange’s AML system attributed tainted provenance to all recent pool participants.

The risk is asymmetric. You can be completely compliant, conduct full KYC on your own operations, and still end up with a contaminated position through no fault of your own.

What to do: Understand the provenance of any tokens you receive from DeFi interactions. Use protocols with built-in OFAC screening and transaction filtering. If you are operating under a regulatory license, treat any tokens received from a DeFi pool as potentially contaminated until you can verify their on-chain provenance. Consider using institutional-only DeFi infrastructure that restricts participation to KYC’d wallets. This limits composability but dramatically reduces contamination risk.

Concentration and Platform Risk

Most RWA protocols have a small number of validators, a small number of issuers, and a small number of custodians. This means concentration risk is structural, not accidental.

A protocol that issues tokenized U.S. Treasuries with a single custodian, a single issuer, and a three-validator set is not diversified at the infrastructure layer, regardless of how many different assets it claims to support.

If the validator set is controlled by the issuer’s consortium members, the security model is a consortium security model, not a public blockchain security model. This is fine if you understand it. It is dangerous if you assume it is more decentralized than it is.

What to do: Map the full stack of the RWA product, which chain, which consensus, which validator set, which custodian, which legal entity, which jurisdiction. Treat the concentration at each layer as a risk factor.

What These Risks Mean in Practice

None of these risks are reasons to avoid the RWA tokenization space entirely. They are reasons to approach it with the same rigorous due diligence you’d apply to any new asset class with novel infrastructure and untested legal wrappers.

The institutional investors who will do well in tokenized RWAs are the ones who understand what they’re holding at every layer. The legal ownership claim, the smart contract, the custodian, the bridge, the consensus mechanism. Size their positions accordingly.

The ones who will get hurt are the ones who buy the narrative without interrogating the stack.

Tokenization is a genuine improvement in financial infrastructure. But it is still early. The protocols are immature. The legal frameworks are incomplete. The liquidity is shallow. The auditors miss things.

That does not mean don’t participate. It means participate with your eyes open.

References

• Ronin bridge exploit ($625M) — rekt.news
• Wormhole bridge exploit ($320M) — rekt.news
• Nomad bridge exploit ($190M) — rekt.news
• Onyx by J.P. Morgan — jpmorgan.com
• Aave GHO stablecoin — aave.com
• Compound RWA markets — compound.grants
• Chainalysis blockchain analytics — chainalysis.com
• Elliptic blockchain analytics — elliptic.co
• MiCAR European crypto regulation — ec.europa.eu
• Broadridge Distributed Ledger Repo — broadridge.com

---

This concludes the three-part RWA & DeFi series. Article 1: Canton vs Ethereum · Article 2: How Tokenized RWAs Connect to DeFi