So, you are claiming that the user tried to double spend his transaction to your address, his double spend attack failed,the original transaction was confirmed (meaning you receiving the coins) and that's why he ended up receiving no coins?

Shouldn't it only matter if the transaction to your service received the 3 confirmations, which are also only needed to avoid this kind of attack?