Hate to be that guy, but someone has to say it... In this case the code worked as expected and the "attacker" played within the rules of the game. Except they "won" too much. That's not supposed to happen.
"As expected" is doing a lot of lifting here. In some sense, this is true for all hacks. The code is just doing what you told it to do when it returns to some gadget in libc after the return address is smashed.
All exploits are making a program do what it says it does but where that behavior is different than what the developers hoped it would do.
Not quite. Per this other comment[1], there's a difference between correctness vs fitness for purpose. The code was correct -- if, previously you had walked through the logic of the attack with them, the coders would have said, "yep, that's what we want it to do -- lend that much, based on those oracles' prices".
They just didn't realize that there are dangers of using a price oracle for collateral valuation that has recently shown a sharp upward movement. (Which fals under "fitness for purpose".)
So the code correctly lent to someone at Mango's current valuation, it just didn't require the optimal-in-hindsight collateral ratio for such a volatile asset.
Obtaining someone elses tokens because code had flaw = Hack