Defi lending protocol CREAM Finance has been exploited for $130M. This is the third-largest attack that has occurred in defi space. Sources say that the attacker had made a $117M gain on the exploit.

C.R.E.A.M. Finance is a decentralized lending protocol for individuals, institutions and protocols to access financial services. Users passively holding ETH or BTC can deposit their assets on C.R.E.A.M. to earn yield, similar to a traditional savings account. It is the latest example of hackers finding loopholes in open-source code using flash loans meaning the loans that are executed without collateral as long as they’re repaid in one blockchain block.

The attacker wrote a message in the transaction “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.” This appears to imply that CREAM’s Iron Bank is untouched.

The community has discussed shorting the CREAM token as a way of recovering some of the lost money. The CREAM token had a 25% decline from $156.85 to $116.68 yesterday. The protocol has had at least three other breaches. In the most recent one, $23M was lost due to a bug.

“We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available,” the CREAM Twitter account.