Everytime I see a story like this I wonder if the exploit was left intentionally for the founders and developers to exploit one way or another. Even if they themselves do not take the money it would be trivial to sell the exploit for some form of delayed (and more easy to launder) payment.