Yeah, and the paper is written from the perspective that the exchange hasn't been hacked.
No, see Explicit Requirements:
1. In the event the exchange is breached, the attacker should not be able
to withdraw funds or place trades.
In the event that both the exchange and the user's computer is breached,
the user has not previously placed trades while under surveillance and
the user has set up SMS authentication, the attacker should not be
able to withdraw funds or place trades on the user's behalf.