The pool has been hacked. Fortunately I noticed it fast enough, so I made database snapshot seconds before attackers overtake the database machine. I lost some amount of bitcoins, but I'll be able to recover it from my pocket.
Dont you keep the slush reward address private key offline, & airgapped?
Then payouts can be batch calculated from a USB key transfer of a share work tally db report, and usb key transfer of the payout transactions to the pool miner addresses say once per week or whatever.
Then the worst that the attacker can do is delete some of the share work tally db records, or change the reward addresses in the db to themselves. And if you notice an attack, even the miners could resubmit the shares.
And in fact the pooled miner reward addresses should be included in an additional merkle tree in the coinbase itself, and the pooled miners should be presented a verifiable log2 path showing their presence and number of contributions within the coinbase, so that if they can see their contribution is missing, either due to pool skimming, or pool share work db compromise they can switch to another pool. In this way reward can not be reassigned, without redoing the work, and other than the pre-mining attack, you could basically operate with zero-trust (give out the ssh root private key to the serer without loss of security.)
The proof of contribution merkle tree could even be published to the full network, and included as part of the reward verification, then the pool wouldnt need to be trusted at all in terms of provable no skimming. Of course the pool is still trusted with validation (by those pool miners who dont build their own blocks nor independently validate the pool constructuced blocks).
Adam