Good finds :). Most of 2 factor auth or password reset flows I came across while consulting had bugs. One of the more fun findings was an authenticated encrypted username was used for password resets. Another part of the application used the same encryption key and acted as an encryption oracle. Copy ciphertext for the target username into the password reset link, and voila.