Or, more likely than stealing their SSL keys, found a “vulnerability” that caused whatever string the smart contract is looking for to appear in a signed request from the server. I put vulnerability in quotes because it's not clear to me that that is not something banks would consider part of their threat model.
It's kind of like how SMS messages worked fine until “if I can read an SMS sent to your number I can withdraw from your account” became part of the threat model.
It's kind of like how SMS messages worked fine until “if I can read an SMS sent to your number I can withdraw from your account” became part of the threat model.