Cream Finance, a lending protocol based on the Ethereum network, has lost $130m of assets in one of the biggest DeFi thefts to date.

The team behind Cream Finance confirmed its lending markets had been targeted by a large flash loan transaction, a type of exploit which is frequently used by hackers to target vulnerabilities in lending protocols.

“The attacker removed a total of ~$130m USD worth of tokens from these markets,” the team wrote. “With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them.”

The hacker concealed an unusual message in a string of code which accompanied the transaction used for the attack. They said: “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do,” in a comment which seemed to refer to Aave and Iron Bank, two other lending protocols.

The funds were initially sent to a single address, but have since been sent to multiple addresses and liquidity pools.

Yesterday’s attack was not the first time Cream has been involved in an attack with exploits draining $38m of funds in February and almost $19m in August. 

The protocol announced that it had paused its lending markets on Ethereum while the company puts together a post-mortem review of the attack.

The attack, the largest in the history of DeFi, brings the total amount stolen in DeFi attacks to $403m according to data from The Block. While over $600m was stolen in an exploit of Poly Network earlier this year the majority of the funds were later returned.

Read more: Poly Network offers hacker behind biggest ever DeFi attack $500k reward