@cjentzsch It seems to me that you included child DAOs as a safety mechanism that prevents reentrancy attacks. As the funds are isolated within a new contract before they can be withdrawn, that would protect against reentrancy.

If that were true, then it would seem to me that the withdraw-reward mechanism was added later, or by a second programmer, which is why it is not integrated with the child DAO safety system. If the rewards were transfered first to the child DAO instead of being sent to _recipient, that would isolate the entire withdraw procedure.