The Cryptocurrency Post The CryptocurrencyPost
AboutContact
Security

TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint

Photorealistic header: breached contract vault with glowing TSR tokens, BNB Chain logo, and a chaotic price chart.

TesseraDAO, a decentralized project on the BNB Chain, has suffered an exploit resulting in the theft of approximately $2.5 million. The incident involved an unauthorized minting of 99 million $TSR tokens, which were subsequently liquidated on decentralized exchanges, according to on-chain security data.

The security breach was characterized by an “unauthorized mint” from the contract’s null address, a technical signature that typically indicates either a compromise of administrative private keys or a critical vulnerability in the contract’s minting logic. On-chain records from BscScan confirm the creation of the 99 million tokens prior to their conversion into stablecoins.

Execution and Liquidation

Following the minting event, the exploiter swapped the $TSR tokens for approximately 2.5 million USDT. This massive influx of unbacked supply caused the market value of $TSR to collapse by approximately 99%. Liquidity on the TSR/USDT pair, primarily on PancakeSwap, was effectively drained during the dump, with the project’s market capitalization falling from roughly $4 million to near-zero within hours.

Security firm PeckShieldAlert identified the exploiter’s primary address as 0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8. Their analysis shows that the funds were bridged from the BNB Chain to the Ethereum network shortly after the liquidation of the minted tokens.

Fund Laundering via Tornado Cash

Once the assets reached Ethereum, the attacker initiated laundering procedures to obscure the transaction trail. PeckShield monitored the movement of 1,285.5 ETH (derived from the stolen USDT) into Tornado Cash, an OFAC-sanctioned privacy mixer. This method is frequently utilized by exploiters to break the deterministic link between the theft and the final withdrawal address.

The mechanics of the attack—mint, dump, bridge, and launder—mirror a series of recent exploits on the BNB Chain where administrative access was gained to project contracts. Similar patterns were observed in the 2025 UXLINK incident, where billions of unauthorized tokens were created and laundered through identical rails.

As of the time of reporting, TesseraDAO has not released a formal post-mortem or public statement regarding the status of the protocol’s remaining assets or potential recovery efforts. The $TSR token remains down over 99%, with minimal liquidity remaining in official pools.