Same with Monero. Livecoin simply expects the Monero developers to pay them $1.8 million to reimburse their losses. Legally, the developers have no liability. It's right in their software license! On the other hand, Livecoin is legally liable for the deposits its customers made and now won't pay out.
It depends on the agreement that livecoin has with the developers. A lot of times developers pay to get their coin onto an exchange - that often is accompanied with contractual obligations.
Even if the developers bear legal responsibility to Livecoin -- and that sounds doubtful -- that's between Livecoin and the developers. Livecoin has separate obligations to its customers. This whole "Bob holding Alice's money hostage until Joe pays him" thing is not legally or ethically kosher.
With a 51% attack with double spend the exploit does not occur on the exchange. The coin networks gives valid confirmations that are later tricked into being orphaned by privately mined blocks.
It means that those mined blocks are neither from a decentralized coin network and also shows that the blockchain is not immutable.
Coin developers have the ability to introduce check-pointing or utilizing a hybrid system that makes it more difficult to mount such an attack on the network.
This involves much larger philosophical discussions. Arguably, checkpointing thwarts the entire purpose and validity of POW by establishing a "developer consensus" that overrides POW consensus. We shouldn't expect developers to add checkpoints before the fact, or to reverse attacks with forks after the fact.
If a service like Livecoin gets attacked, the losses are their own to bear. They can reassess the risks of listing the coin, require more confirmations and set up additional internal checks to detect such attacks, or they can de-list the coin entirely if its chain is too insecure.
But whatever they do, they should allow depositors to withdraw their coins. At the very least, they should be up front about the losses and establish a compensation plan rather than pointing the finger at open source developers. That will get them nowhere.