The multibillion-dollar crypto loan industry reminded the world how vulnerable it is when Cream Finance was hacked for a third time, losing $130 million of its customers’ money in the third-largest theft ever for decentralized finance (DeFi).

Crypto lending is similar to having a savings account in a bank, where you deposit money and the bank lends it to clients and pays you interest. Cream and other DeFi services put users’ crypto in a pool to be lent out by the platform in return for interest, usually paying much more than what banks offer. However, bank funds are federally insured while funds put in a crypto platform are not. 

The interest rates offered by crypto lending are tantalizing. Annual interest rates on crypto loans range from 4 percent to 15 percent.

Cream was the victim of a flash loan attack. Flash loans are uncollateralized cryptocurrency loans that have to be paid back instantly using smart contracts. They’re used for things like arbitrage across exchanges. The loan and the repayment happen simultaneously in the same transaction, so if the money isn’t paid back, then it never happens, Vice reported.

Platform offering uncollateralized loans (“flash loans”) pitched as risk-free suffers its third hack this year where attackers exploit the no-risk loans to siphon hordes of cryptocurrency https://t.co/oZGLrmXLPe

— Edward Ongweso Jr (redacted spooky) (@bigblackjacobin) October 28, 2021

Built on the Ethereum blockchain, Cream has had two other flash loan attacks, losing $37.5 million in February and then another $18.8 million in August for a collective loss of more than $500 million, The Block Crypto reported. The largest-ever DeFi hack took place in August when the PolyNetwork protocol had $600 million worth of crypto tokens stolen.

Analysts on social media said the Cream hack was an incredibly complex transaction for a flash loan and allowed the hacker to drain Cream’s Ethereum-based lending pools.

For hackers, flash loans are a way to exploit poorly protected protocols, Bloomberg reported.

“This, unfortunately, highlights one of the (big) risks in DeFi right now,” said Stephane Ouellette, CEO and co-founder of FRNT Financial Inc. in a Bloomberg interview. “First, tokens representing very new projects are trading at very large, arguably inflated valuations. Two, the overwhelming majority of the platforms are within a year old, which implies unproven technology.”

“At the end of the day, DeFi is still a far more dangerous spot to park your money with risks not well-understood by the average investor,” Harvard Business Review reported. “All DeFi protocols run the risk of software bugs and/or copycats that can, in the worst case, drain liquidity completely. In addition, there is obviously no FDIC insurance protecting the deposits.”

The hack was reported by Cream in a tweet Wednesday. “We were able to identify the vulnerabilities and patch them,” Cream tweeted. “In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review. We apologize to our users and community for this unfortunate incident and thank you for your support.”

The price of Cream fell within minutes from $152 to $111 on the news — a 27-percent drop, according to CoinGecko. It was trading at $109 as of this writing.