(TLDR; combination of reentrancy + old approvals that were never removed)
smart contracts are a genius-level invention! with the exact same security and threading model as a 90s PHP site, where every built-in function you can call has a laundry list of potential security issues, and fastening a new language and type system to the same broken API appears to provably be doing nothing to the combinatorial explosion of possible security issues
because none of this was ever about computer science; it was all always just affinity fraud targeted towards mediocre nerds