TesseraDAO, a project on BNB Chain, has been hit by a critical exploit that allowed an attacker to mint 99 million TSR tokens out of thin air and dump them for approximately $2.4 million, sending the token’s price down 99% within hours.
The exploit was first flagged by on-chain analyst Specter (@SpecterAnalyst), who identified the attacker’s address and confirmed that the stolen funds were subsequently deposited into Tornado Cash, the OFAC-sanctioned privacy mixer.
The On-Chain Evidence
The mint transaction occurred on June 1, 2026 at 11:38:25 AM UTC. According to data from BscScan, the transaction hash 0x25093e573c116562c8839dc67a15ac21761271006a8dfe50b18fa475564bfcd1 shows the attacker’s address 0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8 minting 99,000,000 TSR tokens directly from the zero address (0x000...000) and routing them to the wallet 0x6f2b45B950d1739EF67C76F4106df6d6E84904cB.
The mint from the null address is the defining technical signature of the exploit. Unlike a transfer between wallets, a mint from 0x000...000 creates new tokens that did not previously exist—meaning the attacker either had access to the contract’s minting function through a compromised admin key or exploited a vulnerability in the project’s minting logic.
The 4-hour price chart shows TSR’s market cap collapsing in a near-vertical drop on the TSR/USDT PancakeSwap pair, falling from approximately $4 million to near-zero within hours of the dump. As of the time of reporting, TSR was trading at a market cap of roughly $213,720 — a 99% drop from pre-exploit levels. TSR’s price also lost 99% of the value.
Funds Routed Through Tornado Cash
Specter confirmed that the attacker proceeded to deposit the proceeds into Tornado Cash, the privacy mixer that has been sanctioned by the U.S. Treasury since August 2022 for facilitating the laundering of more than $7 billion in illicit virtual currency. Tornado Cash has remained the preferred laundering rail for BNB Chain exploit proceeds despite the sanctions.
Specter also noted that the UXLINK exploiter—responsible for the September 2025 attack that minted billions of unauthorized UXLINK tokens and drained $44 million—is currently active in depositing funds into Tornado Cash, with approximately $7.1 million in stolen UXLINK proceeds moved into the mixer in recent activity.
As of publication, TesseraDAO had not released an official statement on the exploit. Some community members responding to the on-chain reports characterized the incident as a “rug pull” rather than an external exploit, raising questions about whether the attack involved internal compromise of the project’s deployer or admin keys.
A Clear 2026 Pattern
The TesseraDAO exploit is the latest in an accelerating series of unauthorized minting attacks in 2026, where attackers gain access to a contract’s mint function and create unbacked tokens that are then dumped on decentralized exchanges before holders can react.
The pattern has been particularly aggressive in recent months:
- March 2026: Resolv USR. An attacker exploited Resolv Labs’ USR stablecoin minting contract to create $80 million in unbacked USR tokens using just $200,000 in USDC, crashing the dollar-pegged stablecoin by over 74%.
- May 30, 2026: Alephium Bridge. The Alephium TokenBridge was exploited for $815,000 in custody assets, with 13.76 million unbacked wrapped ALPH minted directly to the attacker’s wallet after three of four guardian keys were compromised.
The common thread across all four incidents is the unauthorized creation of tokens that should not exist under each project’s stated supply schedule. Whether the cause is a compromised key, a backdoor in the contract, missing validation in mint functions, or insider involvement, the outcome is identical: tokens get minted out of nothing, dumped on DEX liquidity pools, and the resulting USDT or other stablecoin proceeds get routed through Tornado Cash to launder the trail.
Why It Keeps Happening
The structural vulnerability behind unauthorized mint exploits is that most token contracts have a mint function—typically used legitimately for staking rewards, emissions, bridge minting, or initial supply expansion—that can be accessed by anyone with the right credentials or who exploits the right code path.
When that minting authority is concentrated in a single admin key, a deployer wallet, or a small set of guardians, the project’s security collapses to the security of those credentials. The Alephium exploit on May 30 illustrated this directly: the bridge contract’s cryptographic verification worked correctly. The problem was that three of four guardian keys had been compromised, allowing the attacker to sign valid-looking but forged approvals.
For smaller projects like TesseraDAO, the situation is often worse. Many BNB Chain projects launched through templated token deployers retain default admin access patterns that have not been hardened, audited, or transferred to multi-signature wallets. Security firm Hacken has noted in past reports that the majority of BNB Chain exploits in recent years have stemmed from access control failures rather than novel smart contract vulnerabilities.
For now, TSR holders are left with a token that has lost 99% of its value, no apparent path to recovery, and proceeds that have already been mixed through Tornado Cash—effectively beyond the reach of conventional on-chain tracing.
