The suits won't bring the trillions on-chain until the security stops looking like a bug bounty free-for-all.
The Summary
- State Street's head of digital assets says institutional clients are demanding better blockchain security before they'll tokenize real-world assets at scale
- The crypto industry needs solutions now, before trillions in RWAs arrive on-chain, according to Angus Fletcher
- Recent DeFi exploits have made institutional risk committees nervous about moving regulated assets onto public blockchains
The Signal
State Street, a custodian sitting on $43 trillion in assets under custody, is telling the blockchain world what it needs to hear but doesn't want to admit: the security model isn't ready for prime time. Angus Fletcher, who runs digital assets at State Street, says institutions want improved security protocols before they'll commit serious capital to on-chain real-world assets.
This isn't about retail DeFi degenerates losing money on the latest memecoin rug pull. This is about pension funds, sovereign wealth managers, and insurance companies looking at blockchain infrastructure and seeing too many unsolved attack vectors. The gap between "we can tokenize this bond" and "we will tokenize this bond" is measured in security guarantees that don't exist yet.
"The young crypto industry needs to find solutions now before trillions in RWAs come on-chain."
Fletcher's timeline matters. He's not saying "if" trillions come on-chain, he's saying "before." State Street sees tokenization as inevitable, but only after the industry solves for institutional-grade security. That means:
- Custody solutions that meet regulatory standards for fiduciary responsibility
- Smart contract audit processes that go beyond "three guys on Twitter vouched for it"
- Insurance products that actually cover exploits without excluding everything in the fine print
- Recovery mechanisms that don't require convincing validators to hard fork
The recent wave of DeFi attacks gives Fletcher's position urgency. Every bridge hack, every flash loan exploit, every protocol drain adds another six months to institutional adoption timelines. Not because the attacks prove blockchain doesn't work, but because they prove the industry hasn't solved known problems at scale.
The Implication
If you're building tokenization infrastructure, your pitch deck needs a security section that doesn't just reference "best practices." Institutions want specifics. What happens when a smart contract bug is discovered? Who has liability? How fast is recovery? What's the insurance coverage, and who's underwriting it? The companies that answer these questions first will win the RWA race. The ones still talking about "trustless" and "permissionless" as if those words solve security will stay in the retail sandbox.