Rob Behnke
July 31st, 2024
Real-world asset (RWA) tokenization is a rapidly growing trend in the blockchain space and beyond. For example, Goldman Sachs recently revealed its intention to launch three projects related to RWA tokenization in 2024. This decision was driven by intense customer interest in the space.
RWA tokenization has numerous potential benefits for these organizations and their investors.
However, it also introduces a range of potential security risks not associated with traditional investment portfolios. Goldman Sachs, Blackrock, and other organizations entering the RWA space should implement security programs and solutions designed to address these unique risks.
Many of the assets tracked on the blockchain are purely digital. Tokens can be used as currencies, securities, or to track ownership of digital assets. All token transfers are recorded on the blockchain’s immutable digital ledger, making it possible for any blockchain user to view and audit these activities.
RWA tokenization extends the functionality of blockchain and digital tokens to real-world assets. Ownership of these assets is encoded within tokens, which can be bought, sold, traded, and tracked on the blockchain.
RWA tokenization is a field of intense interest due to the benefits that it brings for owners or investors in these tokenized assets. Blockchain-based systems offer many significant benefits compared to traditional methods of managing ownership of these assets, and RWA tokenization can open markets up to a wider range of investors and make these processes cheaper, faster, and more transparent.
Tokenized assets inherit some of the same vulnerabilities as their non-tokenized counterparts. For example, if an asset suddenly loses its value, it doesn’t matter how ownership is tracked.
However, the use of blockchain-based solutions for tokenization also introduces unique risks. These include security, operational, compliance, and counterparty risks.
RWA tokenization uses blockchain technology to track ownership of real-world assets on-chain. To do so, they use smart contracts to encode the functionality of the token, enabling it to be bought, sold, and traded on-chain with custom logic.
Using smart contracts and the blockchain to track asset ownership introduces certain security risks. Smart contracts may contain vulnerabilities or logical errors that expose them to attack or undermine their intended function. For example, a smart contract may contain mathematical errors or flawed access controls that permit an attacker to exploit it.
Moving RWAs on-chain also introduces risks associated with compromised accounts and private keys. If an attacker learns a user’s private key or tricks them into digitally signing a malicious transaction, then ownership of the RWA may be transferred to the attacker without the owner’s authorization. In the Web3 space, compromised private keys are a common root cause of large-scale thefts targeting large organizations, including cryptocurrency exchanges.
Blockchain systems protect against many operational risks associated with traditional IT systems. For example, the decentralized and distributed nature of the blockchain reduces the potential for outages and downtime due to distributed denial-of-service (DDoS) attacks and other disruptive events.
However, moving assets on-chain can also introduce other potential risks. For example, blockchain-based smart contracts will likely be connected to traditional investment management solutions. The interfaces between these systems might contain issues or mismatches that could cause them to not operate properly.
Additionally, the risk of human error may be greater when organizations are working with unfamiliar technology, such as Web3 systems and smart contracts.
In general, technology has outpaced regulation in the blockchain space. While some jurisdictions have developed forward-thinking regulations regarding on-chain assets, others are lagging behind.
This can contribute to a lack of regulatory clarity about what products and services an organization is permitted to offer on-chain in a particular jurisdiction. Some key considerations for research are the potential applications of securities laws, tax implications, and anti-money laundering (AML) and know-your-customer (KYC) requirements.
Any investment carries the potential for counterparty risk. However, many of the counterparty risks associated with blockchain technology are different from those of traditional assets.
For example, RWA tokenization may include developing a smart contract, working with platforms and exchanges, and entrusting the management of an organization’s digital wallet to a custody provider. If any of these go wrong, the tokenized asset may become worthless or be stolen by an attacker. Institutional investors need to understand these unique counterparty risks and incorporate them into their risk management strategies.
Tokenized RWAs are a very different type of asset than many institutional investors are familiar with. Blockchain-based solutions require specialized security controls and risk management processes.
The following best practices are essential to ensuring the security of a tokenized asset offering.
Many security best practices for blockchain-based systems are the same as for traditional IT environments.
Some security best practices to implement for tokenized assets include:
Strong Access Management: Institutional investors should use the strongest access management solution available on each platform. For blockchain environments, these may be multi-signature wallets with private keys stored offline on a hardware wallet. For traditional IT environments, this includes implementing multi-factor authentication (MFA) and using strong passwords.
Sensitive Data Management: Sensitive data should be stored and transmitted in an encrypted form whenever possible. Additionally, sensitive data shouldn’t be stored on a public blockchain platform, as the blockchain’s ledger is visible to all users.
Regular Security Audits: Misconfigurations, unpatched vulnerabilities, and other security gaps can leave an organization and its assets vulnerable to attack. Regular security audits help to ensure that potential problems are addressed as quickly as possible.
Continuous Monitoring: The corporate security operations center (SOC) should perform ongoing monitoring of an organization’s blockchain and traditional IT systems. This may include automated alerts for suspicious or usual transactions related to the company’s tokenized assets.
Smart contracts are programs that encode complex functionality and run on top of the blockchain’s distributed ledger. The nature of the blockchain also makes them uniquely vulnerable to attack. Smart contracts are accessible to everyone on the blockchain, may have open-source code, and are accessed via transactions on an immutable digital ledger.
For these reasons, identifying and remediating smart contract vulnerabilities before launch is essential for security. Some best practices include:
DevSecOps: Security should be embedded in every phase of the development process when creating and launching smart contracts. This includes defining security requirements for code and performing security testing throughout the development lifecycle.
Pre-Release Audits: Every release of a new smart contract or smart contract update should undergo a comprehensive security audit before being released to the blockchain. This helps to identify and address potential vulnerabilities before they are visible and exploitable on-chain. This is especially important since exploit transactions are generally irreversible once they have been recorded on the blockchain’s digital ledger.
Updateable Code: While smart contracts are deployed on an immutable digital ledger, they can be written to be upgradeable. Doing so enables organizations to fix issues in their code that were overlooked before release. However, these contracts must be carefully designed and implemented to ensure that this updateability doesn’t introduce new security risks into the code.
Ongoing Monitoring: Ongoing monitoring is essential to managing the security risks of token smart contracts. While a malicious transaction may be irreversible, rapid action can allow an organization to minimize the damage or prevent the attacker from profiting from their efforts. For example, an organization may be able to freeze future trades on a contract to prevent future losses or have exchanges freeze the attacker’s assets to prevent them from selling stolen assets for a profit.
Tokenized assets allow an individual or institution to manage their own assets directly. However, historically, most enterprises have chosen to partner with a custody provider. For example, many Bitcoin spot ETFs entrusted the Bitcoin backing the ETF to a custody solution provider.
By doing so, an organization can transfer some of the risks and complexity associated with managing and securing the private keys that control a blockchain account. However, this also places significant trust in the organization’s custody provider to properly secure the organization’s private key and manage access to their account with the custody provider.
When performing due diligence on potential providers, some factors to consider include the following:
Security Controls: A custody provider is responsible for ensuring that an organization’s assets are secure, which primarily involves protecting the private key associated with blockchain accounts. Organizations should look for security best practices, such as the use of multi-sig wallets and cold storage in a hardware wallet.
Security Tradeoffs: Custody providers often manage a private key and allow users to log into their accounts via traditional means, such as a username and password. A custody provider should offer MFA at the minimum and ideally have additional access controls and protection in place.
Track Record: Custody providers likely have customers who have been hacked, even if it is wholly the customer’s fault. Understanding how the provider handled the incident can provide insight into the protection they provide and their ability to address issues effectively.
Regulatory compliance is a complex challenge in the blockchain space. Often, regulatory requirements vary from one jurisdiction to another, and some jurisdictions are still developing official regulations and policies. In many cases, key on-chain offerings, such as spot ETFs, have only been approved as a result of litigation.
When entering the RWA tokenization space, organizations must be cognizant of regulatory requirements and risks. Some best practices to consider include:
Research and Track Regulatory Requirements: Regulatory requirements are often specific to a particular jurisdiction and frequently change. Researching requirements in locations where the organization wants to provide services and maintaining visibility into the changing regulatory landscape is essential to maintain compliance.
Implement KYC/AML: AML/KYC procedures are a common component of regulatory requirements; however, they’re more difficult to implement in Web3 than Web2. Designing and testing KYC/AML procedures is essential for regulatory compliance.
Address Token-Specific Risks: Blockchain technology and RWA tokenization introduce different risks to the business than traditional assets. Organizations should consider the unique risks associated with these assets and develop risk management frameworks specifically targeted to manage them.
Consider Insurance Coverage: Insurance is a key element of many risk management policies, but traditional insurance policies may not cover all risks associated with RWA tokenization. Selecting insurance coverage with explicit support for on-chain security risks may be necessary to manage these risks.
Incident Response and Recovery: Team should have incident response policies and teams in place in advance of a potential security incident. This ensures that the organization can respond swiftly and correctly to a potential incident.
RWA tokenization can be a complex process, requiring various partnerships within the Web3 space. For example, an organization may need to hire a smart contract development team, work with crypto platforms and exchanges, and engage a custodial services provider.
When choosing the organizations to partner with, a company needs to weigh the associated risks. Some key considerations include:
Provider Capabilities: The growth of interest in RWA tokenization has inspired the creation of many new companies to provide related services. During due diligence, it’s important to verify that potential providers can demonstrate their ability to offer required services.
Security Programs: Many third-party providers have a significant impact on the security of an RWA token offering. Validating that providers have implemented appropriate security measures is essential to the security of the overall offering.
Centralization Risk: For some capabilities, such as custody services, a small number of providers capture most of the market. This creates potential risks if the provider experiences an outage, is targeted by a cyberattack, or goes out of business.
Tokenizing RWAs offers significant potential benefits and is a market poised for rapid growth. At the same time, this space has significant risks associated with it that organizations must take action to manage and mitigate.
Some of the most significant risks associated with RWA tokenization arise from its use of blockchain-based solutions. Compromised private keys and vulnerable smart contracts are the root causes of many security incidents in the Web3 space.
Halborn specializes in protecting Web3 projects through smart contract audits and security program reviews. For support in ensuring the security of your Web3 project, get in touch.