Adding support for matching orders by order hash directly be a huge help in combating the troll.

The troll can still place orders and force sell orders to have higher fees, but buyers can place orders with low fees and sellers can directly match them.

If we don't care about preserving best/bid offer, we could have order matching ONLY by order hash. That way sellers can place their orders, buyers can place their orders, and anyone who wants to make a trade can match directly. Troll orders would be completely ignored. Fees would be kept to the minimum of 0.0001.

it also disappeared from the balances.

and its not possible to withdraw BTC.

01:41:44 921908390: currently the only centralised exchange with xcp/btc pairs is poloniex. got about 85BTC in trade volume so far and hasn't been up for a day yet, not bad.
01:42:00 71298191: go and make a post about how much that site sucks and why 
01:42:19 71298191: and you will do the mankind a good thing 
01:42:24 921908390: well, it just got back up from heavy load
01:42:48 921908390: certainly isn't the smoothest experience, but beggars can't be choosers
01:42:51 71298191: its a scam
01:43:05 71298191: we found security issues on it in 5 minutes
01:43:07 921908390: I've only used it for first time today.
01:43:31 71298191: i'ts a scam or somebody will hack it very soon
01:43:39 71298191: both options are very possible and maybe even combined

From looking at the log of transactions it looks like the attacker's plan was:

1) Withdraw 35k XCP from Poloniex central wallet somehow
2) Redeposit the 35k XCP and dump for BTC
3) Withdraw BTC
4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC.

I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc.

The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address.

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.