Pure curiosity, suppose OP managed to withdraw 10mBTC before you can finish your investigation and managed to learn that OP actually [let's assume for the sake of a narrative here] cheated the system, completely and entirely, through and through. You'll absorb the loss suffered from his withdrawal that he's not legally entitled to? Again, pure curiosity, I'm not scrutinizing or doubting you here.
Correct, if that were the case and the user manages to withdraw the funds before we can prove an exploit, we are responsible for the loss incurred.