Oh, wow. %n does not modify the output from printf but instead treats its arguments are a memory address and sets it to the number of characters printed so far. That raises the threat potential from printing out the contents of your Dom3 process to modifying memory, including the instruction pointer.
http://julianor.tripod.com/bc/formatstring-1.2.pdf
It's interesting that vfb reports that this will cause crashes. Maybe Dom3 is compiled in a mode that does stricter checking of printf, and throws an exception if the wrong number of arguments is supplied. In that case it's not a security threat after all.
-Max