The exchange is still liable to the people who want to buy/sell just like when a bank gets robbed they can't tell you "sorry, your money was stolen so we can't honor your withdrawal request". The exchange is even more liable because it was an error in their script that caused the problem, ergo their fault the money is gone. When a bank is robbed you can't blame the bank unless they have really sub-standard security in place that invites robbery, which can also be equated to this particular case. One can easily argue that the code wasn't sufficiently secure from error and that puts the liability on the exchanger.

In any event, no users funds are compromised as we understand the risks.

While we ourselves do not state to offer guarantees for such things. We are fully cognizant such things can occur however no amount of testing can predict every occurrence. We keep an offline wallet exactly for cases like this and although we don't publicly state it, there are certain things we guarantee. This is one of them at least in this specific instance.