Tokenized RWAs have blown past $26 billion in distributed asset value as of March 2026, according to RWA.xyz, with an additional ~$340 billion in represented (platform-locked) value sitting behind permissioned systems. Projections for $100 billion in distributed value by year-end are circulating from credible sources like Bitfinex and Centrifuge’s COO. BlackRock and Apollo have moved well past pilots, with BUIDL and ACRED deploying real institutional capital on-chain. JPMorgan and KKR are running production tokenization initiatives, though their scope remains narrower.
And yet, most of the public conversation about RWAs still focuses on opportunity: fractional ownership, 24/7 trading, yield, composability, the trillion-dollar TAM. The risk side gets a few bullet points at the bottom of a report and a perfunctory “DYOR.”
That’s a problem. Because tokenization does not eliminate the economics of the underlying asset. It wraps them in a new layer of complexity, one that sits at the uncomfortable intersection of traditional finance and decentralized infrastructure. A tokenized Treasury bill is still subject to interest rate movements. A tokenized private credit position still depends on whether the borrower pays back the loan. And the on-chain wrapper adds its own failure modes: oracle lag, smart contract bugs, redemption bottlenecks, and regulatory ambiguity that can freeze liquidity overnight.
This article breaks down what those risks actually look like in practice, how the leading risk curators (Gauntlet, Credora by RedStone, Chaos Labs) are quantifying them, and what a real due-diligence process should include before you allocate capital or integrate an RWA into a DeFi protocol.
What We Mean by “Yield-Generating RWAs”
Yield-generating RWAs are tokenized representations of traditional assets that produce income on-chain. That income might come from interest (U.S. Treasuries), coupons (corporate bonds), loan repayments (private credit), or rental flows (real estate). Common examples include BlackRock’s BUIDL fund, Ondo Finance’s USDY, Apollo’s ACRED (via Securitize), and various private credit pools on platforms like Maple, Centrifuge, and the now-troubled Goldfinch.
The appeal is obvious. A tokenized Treasury product can deliver 4-6% yield with 24/7 access, compared to the T+1 settlement cycle that traditional U.S. securities moved to in May 2024. Private credit instruments on-chain can offer 8-12%. For corporate treasurers and DeFi protocols alike, the math is attractive.
But the yield has to come from somewhere. And the path from the off-chain borrower’s repayment to your on-chain wallet is longer, more fragile, and more opaque than most participants realize.
The Seven Risk Dimensions
Yield-generating RWAs carry risk across seven interconnected categories. These aren’t abstract. Every one of them has produced real losses in the short history of on-chain RWAs.
1. Structural Risk
The first question is deceptively simple: does your token actually give you a claim on anything?
Some tokenized assets represent direct ownership. Others represent a claim on an SPV (Special Purpose Vehicle) that holds the asset. Others still are synthetic exposures with no direct claim at all. As Animoca Brands noted in its late-2025 report on tokenized stocks, 95% of the tokenized equity market is synthetic, meaning holders get price exposure but no voting rights, dividends, or legal ownership.
For yield-generating assets, the structure determines whether you’re actually entitled to the cash flows or whether you’re trusting an intermediary to pass them through. Bankruptcy-remote structures (where the SPV is legally separated from the issuer) protect holders if the issuer goes under. Weak structures leave you as an unsecured creditor in a jurisdiction you may not even know.
What to check: Read the offering memorandum and SPV documentation. Confirm bankruptcy-remote status. Understand the redemption mechanics, including timing, pauses, lock-ups, and any discretionary gates. If you can’t find these documents, that’s your answer.
2. Counterparty Risk
Every yield-generating RWA depends on a chain of counterparties: the issuer who creates the token, the custodian who holds the underlying asset, the servicer who collects and distributes payments, the originator who sourced the loans (for credit products), and the auditor who verifies everything.
Any one of them can fail, and when they do, the failure doesn’t show up on-chain until it’s too late.
The Goldfinch case is instructive. In 2022, the protocol facilitated a $20 million loan to Stratos, a fintech credit fund. According to CoinDesk’s reporting and Warbler Labs’ own governance forum disclosure, Stratos allocated $5 million to REZI, a real estate tech startup that stopped paying, and $2 million to digital asset investments (POKT) that the protocol’s contributor and underwriter, Warbler Labs, claimed to be unaware of. The write-down hit $7 million. Earlier, borrower Tugende, a Kenyan motorcycle financing company, experienced a credit event on a separate $5 million loan after what Warbler Labs described as unauthorized intercompany loans to a struggling parent entity. A third borrower, Lend East, later proved unable to fully repay a $10.2 million loan.
Three credit events, three different counterparty failures, all on the same platform. Warbler Labs backstopped the losses, but community members were blunt in governance forums about the repeated failures of oversight. One commenter pointed out the pattern of discovering borrower problems only after the damage was done.
This is what counterparty risk looks like in practice. It’s not a line item in a spreadsheet. It’s a borrower quietly misallocating funds while the on-chain representation shows everything is fine.
What to check: Analyze the financial health and track record of every entity in the chain. Look at proof-of-reserves frequency and auditor independence. For private credit, dig into borrower underwriting standards and historical default rates. A single point of failure anywhere in the chain is a red flag.
3. Legal and Regulatory Risk
RWAs live in a regulatory gray zone that varies by jurisdiction and changes frequently. The token might be classified as a security in one country and a commodity in another, or fall into no existing category at all. The EU’s MiCA framework and the DLT Pilot Regime provide some structure in Europe. In the U.S., the SEC is still evaluating tokenized money market funds and similar products on a case-by-case basis, issuing bespoke exemptive orders rather than broad guidance.
This matters because legal classification determines who can buy the token, where it can trade, and what recourse you have if things go wrong. Cross-border enforcement is another open question. If an SPV in the Cayman Islands holds the underlying asset and the issuer is in Singapore, which court do you petition when the redemption mechanism breaks?
IOSCO’s Decentralized Finance and Digital Assets report flagged these issues directly, noting that tokenized markets introduce technology-related risks layered on top of the familiar legal uncertainties of cross-border finance.
What to check: Determine the token’s securities classification in your jurisdiction. Map the governing law and dispute resolution process. KYC/AML and transfer restrictions (whitelisting) can limit secondary liquidity, so understand who can actually trade the token. Ambiguous status is not neutral; it’s a liability.
4. Operational and Custodial Risk
Operational risk in RWAs is about what happens between the off-chain asset and the on-chain representation. Misreporting, infrequent attestations, poor internal controls, and custody lapses can all create a gap between what the token says and what the underlying asset is actually worth or doing.
Chaos Labs, in their risk assessment work for Aave Horizon and their frxUSD review, flagged several specific operational concerns: restricted pricing schedules (daily or weekly NAV updates), weekend market closures that leave valuations stale, and custodial coordination delays that slow liquidations. Even fully backed assets can face temporary illiquidity if reserves are exhausted at a single custodian.
The gap between off-chain reporting cadence and on-chain expectations is a structural problem. DeFi operates in real time. Fund administrators update NAVs daily at best. That mismatch is fine during calm markets. During stress, it becomes a trap.
What to check: How often are attestations or audits published, and by whom? Is there a single custodian or diversification across multiple providers? What’s the reporting lag between an off-chain event (like a default) and its reflection on-chain?
5. Liquidity and Market Risk
Liquidity risk in RWAs has a particular character: the on-chain wrapper can trade continuously, but the underlying asset may not be liquid at all. A tokenized private credit position might show a live price on a DEX, but the actual loan has a multi-year maturity and no secondary market.
This creates what Gauntlet, in their section of the June 2025 RedStone/RWA.xyz report, described as a fundamental liquidity trap during stress. Redemption timelines for certain RWAs may require weeks or months, while DeFi users expect immediate settlement.
The “State of RWA Tokenization 2026” report quantified part of this problem: 1-3% pricing gaps for identical assets across different chains, and 2-5% friction costs when moving capital cross-chain. These aren’t theoretical. They’re measured inefficiencies that widen during volatility.
What to check: Examine on-chain trading volume, spreads, and order-book depth. Model what happens during mass redemptions. Compare the token’s liquidity profile against the underlying asset’s actual redemption timeline. If there’s a mismatch, you need to understand how it resolves under stress.
6. Smart Contract, Oracle, and Technology Risk
The technical layer adds failure modes that don’t exist in traditional finance. Smart contract bugs can drain funds. Oracle manipulation can distort valuations. Admin-key compromises can allow unauthorized changes. Upgradeability mechanisms, if poorly designed, can introduce vulnerabilities after deployment.
For yield-generating RWAs specifically, oracle risk is acute. Most tokenized funds use NAV data supplied by a single fund administrator on a delayed schedule (T+1 or slower). Gauntlet noted that liquidation triggers in leveraged RWA positions operate on this same delayed schedule, meaning a credit default might not be reflected in on-chain pricing for days.
IOSCO’s report echoed this concern, noting that tokenized markets introduce smart contract vulnerabilities, cyber risks, and the need for secure key management as distinct technology-related considerations.
What to check: Require multiple independent security audits (firms like PeckShield, Trail of Bits, or OpenZeppelin). Verify oracle redundancy, specifically whether there are multiple data sources and fallback mechanisms. Understand admin-key controls and who has the ability to pause or upgrade the contract.
7. Yield-Specific Risks
The yield itself is a risk factor. Interest rate changes directly affect Treasury-backed products. Credit defaults erode private credit returns. Income volatility in real estate or receivables creates unpredictable cash flows.
In leveraged strategies (where protocols borrow against RWA collateral to amplify returns), these yield risks compound. Gauntlet curates leveraged vault strategies on Morpho that use Apollo’s ACRED tokenized credit fund as collateral, employing looping strategies to target enhanced returns. ACRED itself is a tokenized credit fund via Securitize; the leverage layer is applied by the vault strategy on top. But variable borrow costs in DeFi can spike unpredictably, compressing or eliminating the spread that makes the strategy work.
The general principle: high yields signal elevated underlying risks. Tokenization adds transparency to some aspects of the asset, but it does not change the fundamental credit quality of the borrower or the duration sensitivity of the instrument. A tokenized junk bond is still a junk bond.
What to check: Calculate risk-adjusted metrics like the Sharpe ratio (yield vs. volatility). Run scenario models for rate hikes, credit defaults, and borrow-cost spikes. For leveraged strategies, understand the liquidation mechanics and what happens when the yield spread compresses or inverts.
What the Risk Curators Are Saying
Three organizations have emerged as the primary risk curators for on-chain RWAs, each approaching the problem from a different angle. Their work converges on the same conclusion: tokenization adds DeFi amplification to TradFi risks, and the biggest dangers are timing, pricing, and access mismatches that become acute under stress.
Gauntlet: Practical Risk Management for Leveraged Vaults
Gauntlet specializes in quantitative simulation and risk-parameter optimization, particularly for leveraged RWA strategies on Morpho. They manage risk for vaults holding billions in RWA-backed positions, including strategies built on Apollo’s ACRED tokenized credit fund.
Their key contribution is specificity. Rather than listing risks abstractly, Gauntlet shows how they manifest in live vault operations: redemption timing mismatches that trap capital, single-source NAV pricing that delays liquidations, variable borrow costs that compress returns, and KYC/whitelisting requirements that limit who can provide liquidity during stress.
Their mitigation approach is equally specific: real-time monitoring of yield vs. borrow rates, dynamic LLTV (Liquidation Loan-to-Value) caps, multi-source price discovery, and continuous stress testing. The argument is not that these risks are manageable in theory, but that they require active, curator-level oversight in practice.
Credora by RedStone: Standardized Risk Ratings
RedStone acquired Credora in September 2025 to create the first oracle platform combining real-time price data with standardized risk ratings. The deal was covered by Blockworks, CoinDesk, and confirmed on RedStone’s own blog. Credora provides institutional-grade risk ratings based on its Probability of Significant Loss (PSL) methodology, with ratings now live on Morpho and Spark.
For RWAs specifically, Credora extends traditional credit risk methodology with factors unique to tokenized assets: custodian quality, bankruptcy remoteness, legal entity structure, regulatory/jurisdictional exposure, NAV transparency, and servicer risk. The system operates with over 90% automation, allowing ratings to update as conditions change rather than waiting for quarterly reviews.
The market data supports demand for this kind of transparency. RedStone and Credora reported that rated DeFi strategies such as Morpho Vaults have grown up to 25% faster than unrated peers. For institutions operating under fiduciary mandates, an auditable risk score is not optional; it’s a prerequisite for allocation.
Credora’s explicit position: without standardized risk infrastructure, the RWA market cannot scale to the institutional levels that forecasts project. They frame their ratings as the missing primitive for risk-aware capital allocation.
Chaos Labs: Infrastructure-Level Risk
Chaos Labs focuses on protocol-level risk infrastructure, building the automated systems that lending platforms like Aave Horizon use to manage RWA-backed positions. (Horizon launched in August 2025 as Aave’s institutional RWA market, growing to over $440 million in deposits and accepting tokenized collateral from Superstate, Centrifuge, Circle, and VanEck.)
Their contribution is architectural. Traditional price oracles were not designed for assets that update daily, close on weekends, and require custodial coordination for liquidations. Chaos Labs built “Risk Oracles” that automatically adjust lending parameters (LTVs, liquidation thresholds) based on off-chain conditions, combining agent-based stress simulations with cross-validation of NAVs and custom liquidation mechanics that account for settlement delays.
In their frxUSD review, Chaos Labs assessed custodian failure risk as extremely low due to regulation and diversification. frxUSD is backed by tokenized Treasuries from BlackRock’s BUIDL fund (tokenized by Securitize), Superstate’s USTB, and WisdomTree’s WTGXX, per Frax’s own documentation. Chaos Labs noted that redemption paths still need on-chain workarounds to handle temporary illiquidity scenarios.
A Practical Due-Diligence Checklist
Based on the curator frameworks and real-world failure cases, here’s a condensed process for evaluating any yield-generating RWA before investing or integrating into a protocol.
Step 1: Read the legal documents. Offering memorandum, token-holder agreement, SPV documentation. Confirm bankruptcy-remote status, direct claim on cash flows, and redemption mechanics. If the documents are vague, incomplete, or unavailable, stop here.
Step 2: Map the counterparty chain. Identify every entity between you and the yield: issuer, custodian, servicer, originator, auditor. Assess each one’s financial health, track record, and incentive alignment. Look for single points of failure.
Step 3: Verify the yield source. U.S. Treasuries carry minimal credit risk but meaningful interest-rate risk. Private credit carries real default risk. Know exactly where the money comes from and what conditions could stop it.
Step 4: Stress-test liquidity. Model what happens during mass redemptions. Compare on-chain trading volume to underlying asset redemption timelines. If there’s a meaningful gap, size your position accordingly.
Step 5: Audit the technical layer. Multiple independent smart contract audits, oracle redundancy, admin-key controls, upgrade mechanisms. For leveraged strategies, verify the liquidation mechanics and the data sources that trigger them.
Step 6: Map the regulatory landscape. Securities classification, KYC requirements, cross-border enforceability. These constraints directly affect who can provide liquidity and what happens when something goes wrong.
Step 7: Score the project holistically. Consider a multi-factor heuristic covering permissionlessness (global retail access), reliability (issuer reputation and yield stability), DeFi integration (composability as collateral, trading pairs), maintenance cost (complexity of the underlying asset), and UX (auto-rebasing yield, simple redemption). Products like Ondo’s USDY, which offer rebasing yield with multi-chain DEX trading and simple redemption, score well on adoption risk. Products requiring manual claims, restricted access, or complex intermediary structures carry higher friction risk even when the underlying asset is solid.
Step 8: Run the numbers. Sharpe ratio, Value-at-Risk, duration sensitivity. Scenario model a +200bps rate hike, a counterparty default, and a borrow-cost spike simultaneously. If the position survives all three, it’s probably sized right.
The Spectrum of Risk in Practice
Not all RWAs are created equal. The risk profile varies enormously by underlying asset class and product design.
On the lower-risk end, products like BlackRock’s BUIDL fund or Ondo’s USDY tokenize short-duration U.S. Treasuries through bankruptcy-remote SPVs with strong institutional issuers and auto-rebasing yield. The primary risks are interest-rate movements and, to a lesser extent, the operational risk of the on-chain wrapper. These products have attracted billions precisely because the risk profile is well-understood.
On the higher-risk end, private credit pools carry elevated default, servicer, and liquidity risks. The Goldfinch experience demonstrated that even with a reputable platform, individual loan pools can suffer from borrower misallocation, lack of transparency, and inadequate underwriting controls. The yields are higher because the risks are higher. Tokenization makes the investment accessible but does not make it safer.
In between, there’s a growing category of leveraged RWA strategies that use vault automation to amplify returns on otherwise conservative assets. Gauntlet’s leveraged vaults on Morpho, which use Apollo’s ACRED as collateral, are the leading example. These strategies introduce DeFi-specific risks (variable borrow costs, liquidation mechanics, smart contract dependencies) on top of the underlying asset risk. They require active curator oversight and are not suitable for passive holders.
Where This Is Heading
The RWA risk infrastructure is maturing fast. Credora’s ratings are already influencing capital flows on Morpho and Spark. Chaos Labs’ Risk Oracles are automating parameter adjustments on Aave Horizon. Gauntlet is stress-testing leveraged positions in real time with billions at stake.
But the gap between the best-in-class risk management and the average RWA product remains wide. Many smaller issuers still lack independent audits, rely on single custodians, publish infrequent attestations, and operate with opaque legal structures. The market’s rapid growth, potentially reaching $100 billion by year-end, will attract products that prioritize speed to market over risk infrastructure.
For allocators, this means the due-diligence burden is increasing, not decreasing. The tools are getting better, but they need to be used. A Credora rating is valuable, but it’s not a substitute for reading the offering memorandum. A Gauntlet-curated vault is better managed than an unmanaged one, but the underlying asset still carries the same credit risk.
Tokenization brings real benefits: transparency, composability, fractional access, 24/7 markets. It also brings real risks that are easy to overlook when the yield looks attractive and the market is moving up. The curators and infrastructure providers working on this problem are doing some of the most important work in DeFi right now. The question is whether the broader market will adopt their tools before the next credit event forces the lesson.
