Thanks for the writeup, but i wouldn’t call this necesarily an exploit, but rather a specific new way smart contracts interact with each other.
As you stated this allows for exploits, but also allows for great use cases.
One need to be careful to write the contract in a way that back calls can’t messup the state, e.g. by checking ownership using `msg.sender`!
Nonetheless this language and field is new, so it will take time for everybody to understand its differences to other languages and evolve.
Thanks for your article, anyway.