Summary: Their "smart" contract was accidentally programmed to accept a proof-less message as full root access.

if (authorization == 0) then accept_transaction(withdraw $150mil) print "oops".

No.

Their smart contract was "accidentally" programmed to accept a proof-less message as full root access.

And some people wonder why many are rather hesitant to trust these new products...

It’s “trustless” ;)

I’ll never initialize my variables ever again, I promise!