[mpeg]

Since setGoalFailed is public (because you want it to be callable by the person trying to achieve the goal, and the contract owner is the supervisor) and does no checks, seems like anyone can mark a goal as failed and the money held in the smart contract will go to the contract owner?

Shouldn't that check that msg.sender is either goals[_hash].owner or owner ?

[superkarolis]

You are right, thank you for spotting this! I will have to make a new contract, this one is flawed. If someone decides to call this function and I get the funds, I will give a manual refund. It will have to do until v2 release of the contract. Right now at least it's not holding any major funds.

[mpeg]

No worries! Still much better code than Parity Multisig and their fake constructors :)

[heptathorp]

It also doesn't appear to be checking if a goal has already been set as failed, so someone could fail their goal repeatedly and drain the contract of all its funds.