July 15, 2026
Insights

Why a Valid Signature Isn't Enough to Secure a Tokenized Asset

Two incidents months apart, one an attack and one a mistake, minted unbacked tokens through contracts every compliance check had already cleared.

Hypernative

In October 2025, an internal error at Paxos executed a $300 trillion mint of PYUSD instead of the intended $300 million. In May 2026, a compromised signing key at StablR, a licensed European stablecoin issuer, minted millions of tokens against zero collateral. One was a mistake. One was an attack. Both transactions were fully authorized, and neither should have executed.

StablR's minting multisig required only one of three keys to approve a transaction. An attacker who compromised a single signer removed the legitimate signers and minted 8.35M USDR and 4.5M EURR, StablR's two stablecoins, in under 15 minutes. Both tokens broke their peg. Paxos had no attacker behind its incident at all: an authorized internal operation added six extra zeros to a routine transfer, and the company caught and reversed it within about 20 minutes. Neither company failed the security review that got it there. Both had passed audits, licensing, and reserve attestations before either transaction was ever signed.

A valid signature answers one question: who is allowed to act. It says nothing about what a specific transaction, once signed, should be allowed to do. Tokenized real-world assets have grown to roughly $26B onchain in early 2026, nearly four times their level a year earlier, with BlackRock, Franklin Templeton, JPMorgan, and Goldman Sachs all now running tokenized products at scale. That is the gap institutional tokenization has to close as banks, asset managers, and stablecoin issuers move real balance sheets onchain, and it is not a gap that diligence, custody, or compliance controls were ever built to catch.

The lifecycle a tokenized asset actually needs

Security for a tokenized asset is not a single control or a one-time audit. It spans four distinct moments, and both incidents landed in the same one.

Diligence and compliance, established before a token is ever issued, confirms the integrity of the asset, its counterparties, and its permitted holders. This is foundational, and neither incident would have been caught here. StablR was fully licensed and audited. Paxos is one of the most heavily regulated stablecoin issuers in the market. Diligence answers who is allowed to participate. It does not evaluate any single transaction.

Pre-signature verification is where both incidents should have been stopped. Before a privileged action, a mint, a burn, a whitelist change, a NAV update, a redemption, executes, an independent simulation can reveal exactly what it will do and check the result against expected parameters and live conditions. A mint of 8.35M USDR against zero incremental collateral fails that check immediately, regardless of whether the signer was compromised or legitimate. A mint of $300T against a $300M target fails it just as clearly. This is what Hypernative's Transaction Guard is built to catch: not whether the signer is who they claim to be, but whether the resulting state is one the institution actually wants to exist. It works the same way regardless of intent, because it never asks who signed. It asks what the transaction does.

Onchain monitoring, running continuously across every chain an asset touches, is what catches what pre-signature verification misses and what happens after. Hypernative's platform flagged StablR's anomalous mint at 11:47 p.m. UTC on May 23, as it happened, even though StablR was not a Hypernative customer. That kind of external detection is only possible because continuous monitoring on supply, mint activity, and peg behavior runs independent of whether an issuer has configured it themselves.

Automated response turns detection into action without waiting for a human to read an alert. A pause, a freeze, a role revocation, executed at the moment a threshold breaks, is the difference between a detected anomaly and a contained one. Detection combined with response is what stops a drain in progress.

The question institutions still need to answer

Neither StablR nor Paxos failed because their compliance programs were weak. Both had cleared the bar diligence is built to test. Both failed at the one moment that bar was never designed to reach: the instant a specific, signed transaction executes.

That is the gap an institutional-grade tokenization program has to close, and it is not closed by any single control. It requires a framework that spans all four phases, with the same detection, verification, and response operating as one system across every chain the asset touches.

If you want to see the pre-signature layer in practice, Hypernative is hosting a live session on July 23 walking through exactly what closes this gap, using these two incidents as the starting point.

Register here: https://luma.com/tokenized-assets

Proactive security for onchain finance.

Website | X (Twitter) | LinkedIn

Stay ahead of the curve, subscribe for the latest in Web3 security

Latest from Hypernative
The Ultimate Guide to Digital Asset Security
Cover of a guide titled The Ultimate Guide To Web3 Security by Hypernative on safeguarding Web3 projects.