Looking at the crowdfunding example at https://dappsforbeginners.wordpress.com/tutorials/contracts-that-send-transactions/
There's a possible denial of service attack at the line:
c.funders[j].addr.send(c.funders[j].amount);
If one of the funders is a malicious contract, its default function could be a recrusive call to itself. This would cause all refunds to lock up.