TesseraDAO Unauthorized Mint Exploit

On June 1, 2026, TesseraDAO was drained for approximately $2.5 million when an attacker who had seized privileged minting control issued 99 million TSR tokens out of thin air on BNB Chain and immediately sold them, collapsing the token's price by nearly 99%.

What happened

The exploit hinged on control of the contract's privileged minting authority rather than a logic bug in the token itself. According to PeckShield, the attacker executed an unauthorized mint of roughly 99 million TSR at 11:38 UTC, then dumped the entire supply into the project's liquidity in a single burst of selling pressure. Because the minted tokens had no backing, the sell-off drained roughly $2.5 million in USDT of real liquidity while TSR's quoted price cratered to fractions of a cent. The classic infinite-mint signature — a sudden owner-controlled supply expansion followed by an instant exit — mirrors the Ankr / Helio cascade, where a stolen developer key minted 60 trillion aBNBc.

Aftermath

The attacker moved the proceeds into Tornado Cash, the OFAC-sanctioned mixer, consolidating roughly 1,285 ETH to obscure the trail — a strong signal that this was a deliberate theft rather than a white-hat action. TesseraDAO had not published a detailed post-mortem or recovery plan in the immediate aftermath, and holders were left exposed to a token that had lost almost all of its value within hours.

Why it matters

TesseraDAO is another reminder that a project's mint authority is its single most dangerous privilege: if a key or admin role controlling supply is compromised, no amount of audited token logic prevents an attacker from printing and dumping. The pattern recurs across the catalogue's BNB Chain private-key incidents, and the immediate hop into Tornado Cash underlines how quickly attackers now launder small- and mid-cap proceeds before any freeze can land.