🧵 1/3 RWAs aren’t ERC20s with a legal wrapper. They combine on-chain logic + off-chain trust, which creates entirely new attack surfaces If you’re building or auditing RWAs, the threat model needs to go way beyond Solidity.

🧵 2/3 Some RWA-specific attack vectors devs often miss 👀 • Token split logic - double charging • Freeze/lock checks skipped in batch ops • Broken recovery & guardian flows - permanently stuck assets • Checkpoint bypasses - accounting & governance drift Centralized NAV oracles - single point of failure These are design-level bugs, not edge cases.