I'm trying to troubleshoot something else gift-code related and came across this post...thought I'd try it out.
Changing the final letter of an expanded link (as you wrote above, not the TinyURL) does the exact same thing for me.
So yes I would consider this a vulnerability unless we've both botched something in our gift code setup, but I can't see anything wrong with mine and have been using s2m shortcodes for over 2 years now. I would love to know what's going on there.
FYI it seems like currently the only real way to get a response from the developers (if you're lucky) is to submit a bug via github, which takes basically trying the whole thing out again on a clean WP install (no other plugins, up-to-date, default theme).