That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.
Note this doesn't really apply to a widescale attack by a single attacker. Rather if it is valid, then it means senders can steal back what they sent to you if they can de-anonymize you and they can rewind the chain, which isn't likely.
But there is any easy fix all of you could do now. Go send your CN coins to yourself at a new address. Then you are both the sender and the recipient.
That is why I said I upthread I wasn't too concerned about this additional insight.
Whoops. I am mistaken. Sending the coins to yourself doesn't help, if the attacker can rewind the chain. And if the math is broken this could be done widespread by a single attacker, because every spend he does infects that coin downstream every where it goes, assuming he can rewind the blockchain with a TW or 51% attack.