👋 Welcome to the December Edition
In this December edition of Quill Sentinel, we uncovered 54 vulnerabilities across seven major chains, analyzed a key DeFi exploit, added a couple of sections in the Real-World Assets Handbook, published Exploited Ledgers: The Web3 Hack Report 2025 with comprehensive insights into long-term security trends, lessons learned and growing role of AI in security, and expanded collaborations aimed at strengthening the global security ecosystem.
Here’s everything you need to know from the month, from research shaping DeFi and RWA security to the latest attacks, audit insights, community partnerships, and key takeaways from our security report.
From the Quill Research Desk
Our latest research focused on protocol design and the evolving architecture of Real World Asset tokenization, including cross-chain settlement and redemption flows and emerging chains and non-EVM standards shaping compliant RWA systems.
Real-World Assets Handbook Updates
This month, we expanded the Real-World Assets Handbook with new sections, strengthening its coverage of how RWA systems are built in practice. The handbook now includes deeper insights into chains built for RWA use cases and non-EVM RWA standards, starting with Solana Token-2022, alongside existing breakdowns of tokenization standards, custody and settlement workflows, ecosystem architecture, and global regulatory considerations.
Built for developers, auditors, founders, and institutions, the handbook offers a clear and practical framework for navigating the technical and compliance challenges of tokenizing real-world value on both EVM and Non-EVM chains.
➡️ Read the RWA Handbook here for chains and non-EVM standards.
Our research explored how real-world assets move cross-chain in practice, focusing on settlement, redemption mechanics, and the architectural trust assumptions behind compliant RWA systems.
Cross-Chain RWA Architecture: How real-world asset systems are designed to operate across multiple blockchains while maintaining compliance, settlement guarantees, and architectural consistency. It outlines the core components of cross-chain RWA systems, including legal anchoring, compliance and identity layers, token standards, interoperability mechanisms, and settlement flows, and explains how these layers work together to enable secure, scalable, and compliant movement of tokenized assets across chains.
Exploited Ledgers: The Web3 Hack Report 2025
Exploited Ledgers: The Web3 Hack Report 2025 presents a data-driven analysis of the Web3 security landscape, examining 89 confirmed incidents that resulted in $2.54 billion in losses across protocols, wallets, and infrastructure. The report highlights a shift toward fewer but higher-impact attacks, with phishing, private key compromises, and protocol design failures emerging as the most dominant and costly threat vectors.
Explore the growing role of AI in security, highlighting how audit agents, automated analysis, and agent-based security tooling are increasingly being used to detect vulnerabilities earlier, scale security reviews, and augment traditional manual audits.
By breaking down incidents by attack type, network, and failure mode, the report offers clear insights into how exploits are evolving and where security efforts must be focused moving forward.
➡️ Read the full report here for detailed findings and insights.
Hack Watch
December reinforced how private key compromises and protocol design flaws remain dominant attack vectors across the ecosystem. Wallet-level security failures led to some of the largest losses this month, with Trust Wallet losing $7M and Ribbon suffering a $2.7M loss on Ethereum due to private key compromises, highlighting persistent risks around key custody and access controls. Phishing also continued to be effective, as seen in the $3.9M exploit of Unleash Protocol on Story.
On the protocol side, design and upgrade-related weaknesses surfaced repeatedly. Flow experienced a $3.9M minting issue, underscoring how asset issuance logic remains a critical failure point, while Rari Capital lost $2M due to an upgradability flaw, emphasizing the risks introduced by privileged upgrade paths. USPD’s $1M loss from protocol logic errors further demonstrated how subtle implementation mistakes in stablecoin systems can lead to direct value leakage.
QuillAudits Stats
A quick look at our December audit activity and how we helped secure the Web3 ecosystem.
Building & Operating Tokenized RWAs - Lifecycle, Architecture & Common Pitfalls
Last month, we hosted an exclusive Twitter Space on Building & Operating Tokenized RWAs, bringing together leading builders advancing RWA infrastructure across ecosystems. The discussion explored end-to-end RWA tokenization, architectural and compliance considerations, liquidity and issuance workflows, key security pitfalls, and where RWA infrastructure is heading next, offering practical insights for teams building, auditing, and securing real-world asset systems.
➡️ Listen to the full Space: https://x.com/i/spaces/1ypKdqvoERqGW/peek
Wanna partner up w/ us or want to get your project audited? |
|
|
Have a great day,
Team QuillAudits