Seems very unlikely. If it was a deliberate bug, the contract wouldn’t have been slowly drained over hours. The attacker would have known how to exploit well ahead of time, and had transactions/contracts/infra ready to grab the full $190 million inside one or two blocks.
As SomeCallMeTim says in another comment, the other withdrawals make great cover.
I have zero evidence for my "deliberate sabotage" theory. OTOH it seems entirely plausible and in line with the general scamminess of many cryptocurrency systems. OrangeMonkey's comment expounds better on the social and legal aspects that make deliberate fraud such an attractive possibility: https://news.ycombinator.com/item?id=32318939
The sabotage theory requires the saboteur to predict that they can get enough of the gains, and that competition doesn’t cause fees to rise (losing gains to fees).
There was another bug where someone tried to grab the coins without broadcasting the bug into the pool (by using a well designed double transaction), but they made a slight mistake, and other traders immediately took the coins instead by algorithmically detecting the bug (as soon as the example transaction was published on the blockchain) then algorithmically generating transactions.
