From TOTPKey.php:
foreach ( $this->scratchTokens as $i => $scratchToken ) { if ( $token === $scratchToken ) {
Should use hash_equals() instead. This is unlikely to be practically exploitable because of the rate limiting.
There's also if ( $window > $lastWindow && $result->toHOTP( 6 ) === $token ) {, but I would think that's fine and doesn't need the constant time comparison? It probably doesn't hurt to be safe I guess.