Yes, seen this once before, where the shipping price was calculated client side, then sent to the server with no validation. You could craft a request with a negative value and get the price down to a cent for the entire cart!

At least in e-commerce, you can always send an email to the customer explaining the mistake, and cancel the order...