With a bug that's trivial to exploit, you've got hundreds of people exploiting it; with a bug that's hard to exploit, you've got maybe only yourself or your agent exploiting it.
Which of the two do you think will more likely come back to haunt you? The one where any authorities investigating will need to dig up the backgrounds and connections of hundreds of blockchain addresses exploiting the transaction, or the one where only a single address exploits the transaction? Won't their attention be primarily on those idiots who try to withdraw the money in the US, say, vs that one transaction out of hundreds where someone in Barbados had their proceeds deposited into a bank and withdrawn as cash before closing the bank account (that they opened with a false identity, maybe?).
When there's a single account performing the exploit, all of the investigative resources will be applied immediately to that account, making it far more likely that the account in question will be tracked up to the point of withdrawal, and potentially flagged in time to prevent such a withdrawal. With hundreds of others distracting any authorities, it becomes hundreds of times harder track down the original perp.
Think of those heist movies where someone throws a handful of cash up in the air to help avoid pursuit. Same idea.
Seems very unlikely. If it was a deliberate bug, the contract wouldn’t have been slowly drained over hours. The attacker would have known how to exploit well ahead of time, and had transactions/contracts/infra ready to grab the full $190 million inside one or two blocks.
As SomeCallMeTim says in another comment, the other withdrawals make great cover.
I have zero evidence for my "deliberate sabotage" theory. OTOH it seems entirely plausible and in line with the general scamminess of many cryptocurrency systems. OrangeMonkey's comment expounds better on the social and legal aspects that make deliberate fraud such an attractive possibility: https://news.ycombinator.com/item?id=32318939
The sabotage theory requires the saboteur to predict that they can get enough of the gains, and that competition doesn’t cause fees to rise (losing gains to fees).
There was another bug where someone tried to grab the coins without broadcasting the bug into the pool (by using a well designed double transaction), but they made a slight mistake, and other traders immediately took the coins instead by algorithmically detecting the bug (as soon as the example transaction was published on the blockchain) then algorithmically generating transactions.
