> I wonder if somebody who finds a flaw in a smart contract can legally just jack all the coins

One way to interpret this legally is to assume that smart contracts are in fact enforceable legal contracts. (Most promises about exchanging stuff are enforceable legal contracts, so this is plausible.) The general first-year-contracts answer is then that it depends on the expressed intent of the parties.

Take two extreme examples:

(1) I put an ether bounty in a smart contract and say anyone who can exploit the contract can have it. Definitely legal to exploit (and I can be held to the promise).

(2) I hire you to review my smart contract for exploitable flaws, and instead you exploit the flaws. Definite breach of contract.

The real situation is neither of those, but you can see how expressed intent matters.

So the question is what's the actual expressed exchange of promises between the parties to a given smart contract? And here I think some of the code-is-contract statements around Etherium tilt things toward my (1) example - the text advertisements for the DAO have a bunch of stuff to set the expectation that whatever the code says, goes. But that would be up for debate in court.

(And then there's lots of non-contract ways to slice this, from computer fraud to gambling law to securities law to...)

It is an interesting question. In addition to any common law covering contracts, there are also some statutes that specifically cover interactions on a computer, like the Computer Fraud and Abuse Act. These laws often refer to "intended use" or "exceeding authorized access". IANAL, but It seems complicated enough that we probably won't really know the answers until a few cases are litigated.