Assume for a moment Gox might be telling the truth (Ya right, hahaha)
The purpose of a cold wallet is security and the hot wallet(s) don't have access.
The "crisis document" is clearly a lie, or am I missing something about the cold wallet?
A hot wallet empties a cold wallet if you refill the hot wallet from the cold wallet every time it gets low. If the rule is "when the hot wallet is low, refill it from the cold wallet" and you keep applying that rule, a leak in the hot wallet drains the cold wallet eventually.
How do you get a leak in the how wallet? Easy. You have a rule like: "if the customer complains that their withdrawal didn't process, and it has been at least 24 hours, check the transaction ID in our database. If it didn't confirm, process another withdrawal from the hot wallet."
Do you have to be a complete idiot with no audits and no controls to allow defects like these to cause you lose 99% of customer funds over years? The answer to that question is left as an exercise for the reader.
Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading. It does not appear to any of us that MtGox followed any these essential requirements as a financial services provider.
