When withdrawing cryptocurrencies from Tradeoge, such as BTC with non-interactive transactions, the user enters an amount and an address.
In the next step, Tradeoge ask for the authenticator token (if user has activated authenticator). After entering the right token, the transaction is immediately performed.
When withdrawing Grin with interactive transactions, the user is asked to enter an amount and then Tradeogre asks for the authenticator token.
After entering the right token, Tradeogre displays the slatepack message.
After signing the message, the user pastes the response message and clicks the “Finalize” button. The transaction then gets immediately finalized.
I would suggest that exchanges instead ask for the authenticator token after clicking “Finalize”, in order to make it harder to inject an unwanted response on behalf of the user. Also, the finalization step has a higher impact than the creation of the initial slatepack message.
Consider following scenario:
A user initiates a transaction on an exchange. While the user is busy with signing the message in the wallet, a malicious browser extension could use that time for sending an unwanted response to the exchange. The transaction then would immediately be finalized by the exchange and the coins would go to the attacker. If the gap were closed, an unwanted response could still be injected invisibly, but there would be at least a chance for the user to prevent that.