[meowface]

>Thus, users of EtherDelta must enter their public wallet address and private key when using the site, meaning their private key could be captured from the browser session by a malicious code injection.

This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.

Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.

[meowface]

(Persistent XSS actually, but exploited similarly to a reflected XSS vulnerability because you have to send a specific link to your victims. It has a much higher exploitation success chance than reflected XSS since pesky browser XSS auditors won't be able to step in.)