Verify a decision

{"actor":"system:backfill","investigation_id":"13d29193-f2f2-477a-b5c7-876e7898f65e","kind":"publish","page_slug":"tesseradao-tsr-token-unauthorized-mint-exploit","published_at":"2026-06-15T23:12:17.295Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TesseraDAO TSR Token Unauthorized Mint Exploit","sections":[{"content":"At approximately 11:38:25 AM UTC on June 1, 2026, an attacker executed an unauthorized mint of 99 million TSR tokens on BNB Chain via address 0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8, with proceeds directed to a secondary receiving wallet at 0x6f2b45B950d1739EF67C76F4106df6d6E84904cB. The mint originated from the contract's null (zero) address, a technical pattern consistent with either administrative key compromise or a critical flaw in the contract's minting logic. The minted tokens were immediately sold on PancakeSwap's TSR/USDT pair, generating approximately $2.5 million in USDT and collapsing the TSR price by approximately 99% — from a market capitalization of roughly $4 million to near-zero within hours. The exploit was first flagged publicly by on-chain analyst Specter (@SpecterAnalyst) and was subsequently confirmed and tracked by PeckShieldAlert. The initial transaction hash reported was 0x25093e573c116562c8839dc67a15ac21761271006a8dfe50b18fa475564bfcd1.","heading":"Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"credibility":2,"name":"TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint — The Cryptocurrency Post","type":"news_article","url":"https://thecryptocurrencypost.net/tesseradao-tsr-25m-exploit-on-bnb-chain-via-unauthorized-mint/"},{"credibility":2,"name":"PeckShield Says TesseraDAO Exploit Minted 99 Million TSR, Stole 2.5 Million USDT — Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/113373"}]},{"content":"Multiple sources characterize the attack as an ownership takeover, meaning the attacker gained privileged access to the TSR token contract's administrative minting function. The precise method by which this access was obtained has not been publicly disclosed by TesseraDAO or any identified security researcher as of the date of reporting. Possible vectors include phishing or social engineering against a key holder, exfiltration of a private key from an insecure storage environment, or exploitation of a vulnerability in a contract upgrade or ownership-transfer mechanism. The technical signature — tokens minted from the zero address rather than transferred from an existing supply — confirms that the minting function itself was invoked with administrative authority, rather than tokens being drained from an existing pool or treasury. The attack pattern (mint, dump, bridge, launder) mirrors a documented series of BNB Chain incidents involving admin key abuse, including a prior UXLINK exploit cited by security researchers as a comparable precedent. The absence of a multi-signature wallet or time-lock on the minting function is noted by reporting as a structural governance risk that enabled the exploit.","heading":"Attack Vector: Ownership Takeover and Admin Key Compromise","severity":"critical","sources":[{"credibility":2,"name":"TesseraDAO Suffers $2.5 Million Exploit Following Ownership Takeover Attack — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/tesseradao-suffers-2-5-million-exploit-following-ownership-takeover-attack/"},{"credibility":2,"name":"TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint — The Cryptocurrency Post","type":"news_article","url":"https://thecryptocurrencypost.net/tesseradao-tsr-25m-exploit-on-bnb-chain-via-unauthorized-mint/"},{"credibility":2,"name":"Hacker Drains $2.4 Million From TesseraDAO Through Unauthorized TSR Minting — UseTheBitcoin","type":"news_article","url":"https://usethebitcoin.com/news/tesseradao-hack-tsr-mint-exploit/"}]},{"content":"Following the initial token dump on PancakeSwap, the attacker bridged the stolen USDT proceeds cross-chain from BNB Chain to Ethereum. Once on Ethereum, PeckShieldAlert tracked the laundering of approximately 1,285.5 ETH — derived from converting the USDT proceeds — through Tornado Cash, a smart-contract-based cryptocurrency mixer. Tornado Cash was originally placed on the OFAC Specially Designated Nationals list in August 2022 but was removed from that list on March 21, 2025, following a Fifth Circuit ruling in Van Loon v. Department of the Treasury that found immutable smart contracts cannot constitute sanctionable 'property.' As of June 2026, use of Tornado Cash carries no direct U.S. sanctions liability, though the mixer remains a standard obfuscation tool for illicit fund flows and its use is closely monitored by blockchain analytics firms. The full chain of custody of proceeds beyond the Tornado Cash deposits has not been publicly traced.","heading":"Fund Movement and Laundering","severity":"critical","sources":[{"credibility":2,"name":"TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"credibility":2,"name":"Exploit Hits Gnosis Pay, TesseraDAO Loses $2.5M as June Hacks Start to Climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"credibility":2,"name":"TesseraDao Was Attacked, Hackers Minted 99 Million TSR and Cashed Out $2.5 Million — ChainCatcher","type":"news_article","url":"https://www.chaincatcher.com/en/article/2268696"},{"credibility":1,"name":"Treasury Department Delists Tornado Cash Following the Fifth Circuit's Decision — Steptoe","type":"regulatory","url":"https://www.steptoe.com/en/news-publications/international-compliance-blog/treasury-department-delists-tornado-cash-following-the-fifth-circuits-decision.html"},{"credibility":1,"name":"Why OFAC Delisted Tornado Cash — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2025/04/05/why-ofac-delisted-tornado-cash"}]},{"content":"Several reporting outlets and community observers have raised the hypothesis that the exploit may represent an insider-executed exit, sometimes described as a 'rug pull,' rather than an attack by a third-party adversary. The indicators cited in support of this hypothesis include: (1) the attacker held or obtained administrative minting privileges sufficient to create 99 million tokens without triggering any on-chain access control, suggesting either insider access or access by a party with equivalent knowledge of key management; (2) TesseraDAO issued no public statement — no post-mortem, no incident disclosure, and no communication to token holders — as of the date of all known reporting; (3) the operational pattern (mint, dump, bridge, launder) is functionally identical to documented DeFi rug pull mechanics, regardless of whether the actor was internal or external. No law enforcement agency, regulatory body, or named security firm has formally concluded that the incident was an insider exit as of available reporting. The hypothesis remains alleged and has not been confirmed or refuted by TesseraDAO or any identified founding team member. The project's complete absence of public communication is, however, atypical for a legitimate project responding to an external exploit.","heading":"Potential Insider or Rug Pull Hypothesis","severity":"high","sources":[{"credibility":2,"name":"TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"credibility":2,"name":"Hacker Drains $2.4 Million From TesseraDAO Through Unauthorized TSR Minting — UseTheBitcoin","type":"news_article","url":"https://usethebitcoin.com/news/tesseradao-hack-tsr-mint-exploit/"},{"credibility":2,"name":"$2.5M Drained From TesseraDAO After Ownership Takeover Attack — LiveBitcoinNews","type":"news_article","url":"https://www.livebitcoinnews.com/2-5m-drained-from-tesseradao-after-ownership-takeover-attack/"}]},{"content":"Prior to the exploit on June 1, 2026, the TSR token carried a market capitalization of approximately $4 million. Following the dump of 99 million newly minted tokens into the TSR/USDT PancakeSwap liquidity pair, the token price collapsed by approximately 99%, leaving the market capitalization at roughly $213,720 according to available reporting. The primary trading pair was TSR/USDT on PancakeSwap, which suffered liquidity drainage as the attacker converted the minted supply. Residual token holders were left with near-worthless positions, with no reported recovery mechanism, treasury reserve, or restitution plan announced by the project.","heading":"Token Price Impact and Market Damage","severity":"critical","sources":[{"credibility":2,"name":"TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"credibility":2,"name":"TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint — The Cryptocurrency Post","type":"news_article","url":"https://thecryptocurrencypost.net/tesseradao-tsr-25m-exploit-on-bnb-chain-via-unauthorized-mint/"}]},{"content":"As of all known reporting through early June 2026, TesseraDAO has not issued any public response to the exploit. No incident post-mortem, no official communication to token holders, no acknowledgment via social media, and no recovery or compensation plan have been reported. This absence of communication is a significant transparency failure regardless of the exploit's origin. In comparable incidents involving genuine external exploits, projects typically issue preliminary statements within hours and detailed post-mortems within days. The complete silence of TesseraDAO following an event that wiped approximately 99% of token value and resulted in $2.5 million in losses is inconsistent with standard responsible disclosure practices. No identifiable founding team members, public advisors, or named project representatives have been reported in connection with the project in available sources, making accountability difficult to establish.","heading":"Project Transparency and Response Failures","severity":"high","sources":[{"credibility":2,"name":"Exploit Hits Gnosis Pay, TesseraDAO Loses $2.5M as June Hacks Start to Climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"credibility":2,"name":"TesseraDAO Suffers $2.5 Million Exploit Following Ownership Takeover Attack — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/tesseradao-suffers-2-5-million-exploit-following-ownership-takeover-attack/"},{"credibility":2,"name":"TesseraDAO Hack Drains $2.5 Million as TSR Token Crashes Nearly 99% on BNB Chain — BitRss","type":"news_article","url":"https://bitrss.com/tesseradao-hack-drains-2-5-million-as-tsr-token-crashes-nearly-99-on-bnb-chain-216851"}]},{"content":"Security researchers and reporting outlets note that the TesseraDAO exploit follows a recognizable pattern of BNB Chain incidents in which projects retain centralized administrative minting keys without multi-signature controls, time-locks, or formal audits of access management. The Cryptocurrency Post and ChainCatcher both reference the UXLINK exploit as a prior comparable incident involving unauthorized token creation and identical laundering methods on BNB Chain. As of June 1, 2026, bridge-related and admin-key exploits in 2026 had accumulated $340.7 million in total losses across 14 incidents, according to Cryptopolitan's reporting context. The TesseraDAO incident represents approximately $2.5 million of those cumulative losses. The structural risk factor — a single administrative key with unrestricted minting authority over a token's total supply — has been identified as the root enabling condition for this class of exploit across multiple incidents.","heading":"Broader Context: BNB Chain Admin Key Risk Pattern","severity":"medium","sources":[{"credibility":2,"name":"Exploit Hits Gnosis Pay, TesseraDAO Loses $2.5M as June Hacks Start to Climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"credibility":2,"name":"TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint — The Cryptocurrency Post","type":"news_article","url":"https://thecryptocurrencypost.net/tesseradao-tsr-25m-exploit-on-bnb-chain-via-unauthorized-mint/"},{"credibility":2,"name":"TesseraDao Was Attacked, Hackers Minted 99 Million TSR and Cashed Out $2.5 Million — ChainCatcher","type":"news_article","url":"https://www.chaincatcher.com/en/article/2268696"}]},{"content":"Several material facts remain undisclosed or unverifiable as of available reporting. The precise root cause of the admin key compromise — whether phishing, private key exfiltration, insider access, or smart contract vulnerability — has not been confirmed by any security firm or by TesseraDAO. No verified founding team members, developers, or project advisors have been publicly identified in connection with TesseraDAO, making attribution of responsibility difficult. The TSR token contract address on BNB Chain has not been confirmed in available secondary sources despite the attacker address (0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8) being documented. No law enforcement referral, regulatory investigation, or blockchain analytics firm engagement has been publicly announced. Whether any portion of stolen funds remains recoverable or traceable beyond Tornado Cash deposits is unknown.","heading":"Unknown Factors and Information Gaps","severity":"medium","sources":[{"credibility":2,"name":"PeckShield Says TesseraDAO Exploit Minted 99 Million TSR, Stole 2.5 Million USDT — Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/113373"}]}],"sources_used":[{"credibility":2,"name":"TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"credibility":2,"name":"TesseraDAO Suffers $2.5 Million Exploit Following Ownership Takeover Attack — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/tesseradao-suffers-2-5-million-exploit-following-ownership-takeover-attack/"},{"credibility":2,"name":"Exploit Hits Gnosis Pay, TesseraDAO Loses $2.5M as June Hacks Start to Climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"credibility":2,"name":"TesseraDAO ($TSR) $2.5M Exploit on BNB Chain via Unauthorized Mint — The Cryptocurrency Post","type":"news_article","url":"https://thecryptocurrencypost.net/tesseradao-tsr-25m-exploit-on-bnb-chain-via-unauthorized-mint/"},{"credibility":2,"name":"Hacker Drains $2.4 Million From TesseraDAO Through Unauthorized TSR Minting — UseTheBitcoin","type":"news_article","url":"https://usethebitcoin.com/news/tesseradao-hack-tsr-mint-exploit/"},{"credibility":2,"name":"PeckShield Says TesseraDAO Exploit Minted 99 Million TSR, Stole 2.5 Million USDT — Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/113373"},{"credibility":2,"name":"TesseraDAO Hack Drains $2.5 Million as TSR Token Crashes Nearly 99% on BNB Chain — BitRss","type":"news_article","url":"https://bitrss.com/tesseradao-hack-drains-2-5-million-as-tsr-token-crashes-nearly-99-on-bnb-chain-216851"},{"credibility":2,"name":"$2.5M Drained From TesseraDAO After Ownership Takeover Attack — LiveBitcoinNews","type":"news_article","url":"https://www.livebitcoinnews.com/2-5m-drained-from-tesseradao-after-ownership-takeover-attack/"},{"credibility":2,"name":"TesseraDao Was Attacked, Hackers Minted 99 Million TSR and Cashed Out $2.5 Million — ChainCatcher","type":"news_article","url":"https://www.chaincatcher.com/en/article/2268696"},{"credibility":2,"name":"Exploit Hits Gnosis Pay, TesseraDAO Loses $2.5M as June Hacks Start to Climb — Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605440181"},{"credibility":1,"name":"Why OFAC Delisted Tornado Cash — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2025/04/05/why-ofac-delisted-tornado-cash"}],"summary":"On June 1, 2026, an attacker leveraged a compromised admin key on BNB Chain to mint 99 million TSR tokens outside TesseraDAO's normal supply controls, swapping them for approximately $2.5 million in USDT and collapsing the TSR token price by approximately 99%. The exploiter subsequently bridged the stolen proceeds to Ethereum and laundered approximately 1,285.5 ETH through Tornado Cash. As of the date of reporting, TesseraDAO issued no public statement, raising unresolved questions about whether the incident constituted an external key compromise or an insider-orchestrated exit.","timeline":[{"date":"2026-06-01","event":"At approximately 11:38:25 AM UTC, attacker address 0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8 minted 99 million TSR tokens from the null address on BNB Chain using compromised admin access. Tokens were immediately sold on PancakeSwap TSR/USDT pair for approximately $2.5 million USDT, collapsing the TSR price by 99%.","source":"Crypto Times, The Cryptocurrency Post","source_url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"date":"2026-06-01","event":"Stolen USDT proceeds bridged cross-chain from BNB Chain to Ethereum. Approximately 1,285.5 ETH laundered through Tornado Cash on Ethereum by the exploiter.","source":"Cryptopolitan, ChainCatcher, PeckShieldAlert","source_url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"date":"2026-06-02","event":"On-chain analyst Specter (@SpecterAnalyst) publicly flags the exploit approximately 19 hours after the mint transaction. PeckShieldAlert confirms and documents the attack chain: mint, dump, bridge, launder. Multiple crypto news outlets publish reports.","source":"Crypto Times, The Cryptocurrency Post, UseTheBitcoin","source_url":"https://www.cryptotimes.io/2026/06/02/tesseradao-tsr-plunges-99-after-attacker-mints-99m-tokens/"},{"date":"2026-06-02","event":"TesseraDAO issues no public response. No official statement, post-mortem, or communication to token holders is recorded as of reporting date.","source":"Crypto Economy, BitRss","source_url":"https://crypto-economy.com/tesseradao-suffers-2-5-million-exploit-following-ownership-takeover-attack/"}]},"v":1}