Client-side timestamps and message cooldown timer seem highly exploitable.
So, I was chatting and I noticed my timestamps were 7 minutes ahead of everyone else's. I re-synced my system clock via NTP...but then I wasn't able to chat for ~7 minutes because my previous message was sent from what my computer considered seven minutes IN THE FUTURE, triggering the flood protection message cooldown.
I imagine it works in the other direction as well, in which case there's no way this isn't somehow exploitable.
What other time-based protection is handled client-side in defiance of all reason? The timer to be let into follower-only chat after following? Moderation timeouts? I can't imagine that's the case, but why would the message cooldown timer be client-side in the first place???