Bitswift only allows people to interact with the blockchain via their web client. This puts in classic web vulnerabilities into the mix. When claiming a voucher (for a coin), a user makes a POST request to /claim. Since this happens in web server code, there is a small window where multiple web requests can be made on the voucher. So, a claim can be made multiple times with something like Turbo Intruder. Nice!