Blockchain research firm Castle Labs released its “Full-Stack Privacy Ecosystem” report on June 23, stating that the global on-chain RWA (real-world assets) market size has reached $28.2 billion, but the portion entering DeFi protocols is only about 10%. The report attributes this gap to institutions’ fundamental barriers: DeFi public ledgers prevent institutions from concealing balances, counterparties, order flow, and customer data.
RWA Market Snapshot: Over $25.2 billion still outside DeFi
The data in the Castle Labs report shows that in the $28.2 billion RWA market, only about 10% of assets have entered DeFi protocols, while more than $25.2 billion in on-chain assets have not yet been integrated into the DeFi ecosystem.
The report states that the nature of this gap is structural barriers rather than a technical issue—institutions cannot conceal balances, order flow, pay slips, and customer data on the public ledgers of DeFi protocols, as the report puts it: “On-chain finance cannot mature if every meaningful action is assumed to be completely public.”
The report identifies four technical pillars as the core of institutional privacy infrastructure: ZK (zero-knowledge proofs), FHE (fully homomorphic encryption), MPC (multi-party computation), and TEE (trusted execution environments).
Institutional privacy infrastructure deployed in the first half of 2026
The Castle Labs report records multiple institutional privacy solutions deployed in the first half of 2026:
Aztec Network Alpha mainnet: launched on Ethereum in March 2026; private functions run in a local execution environment on the user’s device, and the sequencer cannot read transaction contents
Arcium Alpha mainnet: launched in February 2026; as of the report’s publication, it has processed more than 900 thousand computations and 3.5 million transactions
Circle Arc Privacy: officially released, offering enterprises an optional on-chain privacy solution
StarkWare and Sui: both have launched confidential asset transfer systems meeting compliance requirements
The Solana Foundation published a report in March 2026 detailing a privacy framework for institutions.
Zcash vulnerability fully patched; Roman Storm re-trial scheduled for fall 2026
On June 3, 2026, the Zcash development team completed a patch to a zero-knowledge proof circuit vulnerability in the Orchard protocol via an emergency hard fork. The vulnerability had been lurking for nearly four years, allowing attackers to mint fake ZEC without being noticed and without limits. Due to Orchard’s privacy features that shield transactions, the development team explicitly stated in its announcement that “at the cryptography layer, it is not possible to confirm whether the vulnerability was ever exploited.”
Roman Storm, a developer of Tornado Cash, has a re-trial date scheduled for fall 2026 amid accusations of conspiracy to launder money and conspiracy to evade sanctions. During the design process, the Privacy Pools protocol referenced materials from the Storm lawsuit and made targeted modifications to related functionality points.
FAQ
Why does DeFi penetration of RWA reach only 10%, and what is the core barrier?
The Castle Labs report attributes low DeFi penetration to transparency issues with DeFi public ledgers: institutions cannot expose their balances, counterparties, order flow, and customer data on public chains. This reflects the dual needs of regulatory compliance and protection of business confidentiality. It is a structural barrier rather than a technical bottleneck.
What problems do the four privacy technology pillars in the Castle Labs report address individually?
ZK solves “verifying without revealing”; FHE enables direct computation on fully encrypted data; MPC splits data across independent nodes for cooperative computation, preventing any node from obtaining the complete input; TEE executes computation in an isolated environment verified by hardware. The report clearly states that the final privacy stack is a combination of multiple technologies, not a victory of a single technology.
After patching the Zcash vulnerability, can the possibility of malicious exploitation be ruled out?
In the hard fork announcement on June 3, the Zcash development team explicitly stated that, due to Orchard’s transaction-shielding privacy features, at the cryptography layer, it is not possible to confirm whether the vulnerability was ever exploited. The hard fork has already completed the technical patch to the circuit vulnerability.
