Comment by drak0n1c

In this case yes - everything went by the design and law of the underlying code. There was no exploited bug or vulnerability flaw besides human laziness here.

1) Their multi-signature wallet signing employees lazily clicked through in unison to approve a new smart contract without examining the contents to see if it was unusual.

2) Bad security architecture to keep too much in a single wallet that wasn't properly kept cold. There should have been a few fully cold wallets, that only rarely transact with mostly-cold intermediary "airlock" wallets which are also separated from the exchange operations and wallets. The signers also need to be different combinations of people for each of those wallets - preferably some of those signers being additionally liable 3rd party technical experts.