It doesn't necessarily need to be open source, it could just be shared with a trusted group of coders for review. Then the code on the server could be hashed regularly and that hash compared to the hash of the code that had been reviewed. Any code changes would quickly be obvious to anyone who bothered to check.
The problem is that you (the player) can't know that I don't have two copies of the code - the one I hash (the public version) and the one I really run (which cheats you).
I would have to grant server access to a trusted auditor who could check what code was actually running. He would have to have access any time he liked (or I could replace the bad code with good code just before letting him in each time). Then there's the problem that the code that is running (in RAM) isn't necessarily the same code that currently resides on the hard drive. I could swap to the bad code just for the fraction of a second it takes to start the server, then switch back to the good code the rest of the time so it looks good for the auditor.
I could even go as far as to tamper with the nodejs interpreter to have it misinterpret the (good) code that it loads and do bad things. See
Ken Thompson's famous paper or the
discussion of it on wikipedia if you don't understand what I'm getting at here.
Basically, if you have root access to the box running the server you can make it act in bad yet undetectable ways if you want to badly enough. And even if you couldn't, you could still run off with the cold wallet when it got big enough.