The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
Are you kidding me? Did you do
any research on past Bitcoin exchanges hacks before auditing your code?
That exact same "hack" has been done on multiple exchanges in the past.
Another guy who's created an exchange but yet somehow doesn't know what a database transaction is... unreal.