Cream Finance — a Taipei-based decentralized lending platform — saw yet another hack, in what could be one of the biggest flash-loan attacks in decentralized finance (DeFi) history.

Cream Finance today confirmed in a tweet that it has been exploited and lost about US$130 million worth of tokens.

“Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC,” the company said in the tweet.

The DeFi platform said that it has halted its “v1 lending markets” on Ethereum and it is in the process of putting together a post-mortem review.

In the wake of the latest exploit, Cream Finance’s token CREAM plummeted 25.8% in the last 24 hours as of Thursday afternoon Asia time to US$110.97, according to data from CoinGecko.

This is not the first time for Cream Finance to suffer an exploit. In February, it faced an exploit where hackers used DeFi protocol Alpha Finance to take out about US$38 million.

In August, Cream Finance saw another exploit, which eventually led to a US$35 million loss, but it said in a post mortem at the time that it would replace the stolen cryptocurrencies to make sure there was no liquidity issue for its users. In October, Cream tweeted that it retrieved most of the stolen funds from the attacker.

Some other DeFi platforms have also seen major attacks. In August, another DeFi platform, Poly Network, suffered a US$600 million hack, though the hacker later returned the stolen assets. In the same month, Japanese crypto exchange Liquid suffered a loss of over US$90 million in an attack, which siphoned Bitcoin, Ethereum, Tron and XRP tokens from the exchange. Liquid obtained a US$120 million loan from fellow exchange FTX to cover losses.

Security experts are analyzing the spate of hacks for signs of vulnerability. “The three hacks that Cream Finance has experienced are all related to flash loans, and the hackers from the [August attack] returned [most of] the stolen funds,” Sun Huang, general manager and vice president for security development operations at XREX Inc., a Taipei-headquartered crypto-fiat exchange and trade technology platform, told Forkast.News. “This time we can expect the hacker to return as well, especially when the tracking technology for blockchain has become more mature and many could catch the hints and chase down attackers.” 

Huang said that DeFi platforms are built on the basis of smart contracts, and once smart contracts show signs of insecurity in design, an exploit could easily occur. “From the perspective of an information security expert, I’d recommend users to go with DeFi platforms that have secured reviews from at least two security firms, with regular checks for updates. Some platforms would lure users with high annual percentage yields but they often lack security protection.”

Correction: October 28, 2021

An earlier version of this story misstated that attackers in Cream’s prior two hacks returned monies. The attacker only in the second hack, in August, has returned funds.