I once spent hours debugging a "stuck" contract only to find a loop could be DOS'd by manipulating a public array. Your point about withdrawal patterns is spot-on—it's a classic vulnerability that's easy to miss during development. Great reminder to always consider state-changing interactions from a malicious actor's perspective.