After following the DeFi space for over a year now I've come to the conclusiong that "code is law" is a fallacy. If you come to the possession of funds that were not intended to be in your possession by exployting bugs or vulnerabilities, and other parties are significantly harmed in this process, then you will be in a position to face criminal charges... Well that is unless one can maintain anonymity indefinitely. Once anonymity is lost law enforcement may come for you.
The best thing you can do (and the moral thing to do) is to submit for a bug bounty in case you find a crictical bug in a blockchain/protocol.
Funny that it's kind of the same paradox as robbing a bank the old fashioned away. Congrats, you have millions of dollars of cash, good luck spending it without anyone asking "hey where'd you get all this money" / bragging to a friend
