wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?
if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.
if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.
explain me if I misunderstand anything here
I'm guessing it happened with mutating the tx ids.
User requests withdrawal
Wallet sends funds, user mutates tx
wallet checks tx, cant find it, resends funds or credits user's account.
rinse/repeat
Just a guess, no clue how viable that really would be.
This.