@ Cuddlefish, I PMed you for more details.
That's ridiculous, the CSRF exploit is trivial, someone logged into your site, visiting a malicious site can have all his funds withdrawn at a whim.
something along the lines of this :
And that's only the first thing that has been spotted.
Advice : shut down your site, get some professionnals, open it back up when it's finished and secure.