I once deployed a staking contract where a single malicious user griefed the withdrawal function by front-running with a tiny, failing receive() call. Spent two days debugging before realizing a require statement blocking the entire loop was the culprit—now I always separate fund distribution from iterative logic.