The pull-over-push distinction you laid out for Putty Finance is the critical mental model here — it maps directly to the fail-safe default pattern in distributed systems outside blockchain too. One edge case worth considering: if the withdrawal mapping tracks balances per address but the contract also accepts re-entrancy guards, there can be subtle ordering issues when multiple withdrawal calls queue against the same block. Have you tested that interaction under high gas conditions?