← All Reports

TesseraDAO Investigation: NFT Fractionalization Exploit

📅 2025-06-03
nft fractionalization exploit tesseradao

TesseraDAO Security Incident Investigation Report

Date: June 2, 2026

Loss Amount: ~$2.5M USDT

Status: Project Team Unresponsive

Executive Summary

On June 1, 2026, TesseraDAO was attacked on BNB Chain. The attacker minted approximately 99 million TSR tokens and quickly dumped them, causing the token price to crash 99%, dropping from normal price to approximately $0.0002. The project team has not released any official statement to date.

Attack Vector Analysis

Attack Path

  • Minting Phase: Attacker minted 99,000,000 TSR tokens through the project's smart contract
  • Exchange Phase: Swapped TSR for approximately 2.5 million USDT on decentralized exchanges
  • Cross-Chain Phase: Bridged stolen funds from BNB Chain to Ethereum
  • Money Laundering Phase: Obfuscated 1,285.5 ETH transactions through Tornado Cash

    • Technical Details

    | Metric | Data |

    |--------|------|

    | Attacker Address | 0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8 (BSC) |

    | Minted Token Amount | 99,000,000 TSR |

    | Illicit Gains | ~2,500,000 USDT |

    | Tornado Cash Laundering | 1,285.5 ETH |

    Key Suspicion: Likely Rug Pull

    On-chain analysts strongly suspect this was not an external hack but insider involvement or privilege abuse:

    • Minting privileges and MultiTransfer functionality are exclusively controlled by deployer-related addresses
    • Attacker address has connections to the project deployer
    • Project team remains silent—a typical Rug Pull characteristic
    • Not discovered and publicly disclosed by security firms until 19 hours later

    2026 BNB Chain Attack Pattern Comparison

    | Project | Date | Loss | Pattern |

    |---------|------|------|---------|

    | DxSale | Early June | $7.3M | Legacy architecture + ownership transfer |

    | TesseraDAO | June 2 | $2.5M | Mint+dump+suspected insider |

    | Specter | May | ~$2M | Token contract vulnerability |

    Data Sources

    • PeckShieldAlert: https://x.com/PeckShieldAlert/status/2061713210210988434
    • CryptoCompass: https://cryptocompass.com/articles/tesseradao-hack-drains-2-5-million-as-tsr-token-crashes-nearly-99-on-bnb-chain
    • BSCScan: https://bscscan.com/address/0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8

    Risk Warnings

  • Beware of "Centralized Mint Authority": If projects retain single-point minting capability, user funds are never safe
  • Pay Attention to Project Silence: Projects that don't respond after an attack are often心虚 (guilty) Rug Pulls
  • DeFi Security Requires Systematic Auditing: Pre-launch audits alone are insufficient for long-term security