x += y;

This looks like addition, but it's not. That's because they aren't "numbers" but "32-bit unsigned integers". The operation can overflow.

(gᵃ mod p)ᵇ mod p = gᵃᵇ mod p

But also:

gᵃᵇ = gᵇᵃ

Hence:

(gᵃ mod p)ᵇ mod p = (gᵇ mod p)ᵃ mod p

(gᵃ mod p)ᵇ mod p = (gᵇ mod p)ᵃ mod p

Both sides have come to the same result, the agreed upon key, with the hacker being able to figure this out.