What would you suggest? That's not snark, you seem to have your head on in a lot of areas. I'm not a programmer, so I got nothing to offer. But Poloniex is often the first exchange for a new coin, and they do have a good reputation overall. I was in fact about to register there when this came down. I can't risk it till this is resolved, but I would like to see it resolved.
If the operator was interested in truly doing the right thing, he would take the whole thing offline and spend a couple months learning what he should have known before he started. The spend a couple months building it right from the ground up. Before the launch he could launch a test site with dummy accounts and data and offer a security challenge (
https://www.crowdcurity.com/ )*.
As for where to start, based on the responses given by the operator himself he lacks even the basic knowledge on proper database design and operation. Sorry if that is "harsh" but it is the reality. This isn't a "one wrong line of code" issue. He should start with a book which teaches fundamental
concepts about how relational databases work. Normally I would recommend a freshman computer science book on database design and operation but honestly they are way overpriced (as all academic books are) and excessively wordy.
Something like the following would be a good proxy:
http://www.amazon.com/Database-Design-Mere-Mortals-Relational/dp/0321884493/The idea that an experienced developer should either "shut up and stop being mean" or help the guy build it right for free is a false dichotomy. Top developers generally make $150K to $200K a year. If the site operator is willing to offer $80 a hour I am sure someone qualified would be willing to mentor him. However based on his responses to the problem that money would likely be wasted at this point.
You can't just slap some additional code on a flawed design and expect it to be secure. The entire transaction processing engine probably needs to be rebuilt from the ground up to be ACID compliant. Due to the scope of the problem we don't know what other problems exist but I doubt the code in other critical areas (authentication and authorization) is better.
For the record I am not saying "don't use the site" or "you are an idiot for using the site". I am a libertarian, I don't really feel it is my business what you do with your money. However please don't be surprised when it happens again.
* Before I get accused of "do as I say not as I do, BitSimple will be launching a challenge soon.