`change_recovery_account_operation` can be "spammed"
Generally when operation can be used to create something, change pending action or cancel, hived
requires new call to actually change something, f.e. you can't cast vote with exact same parameters twice (even though your voting mana might actually be higher, you might also already be in different vote window, so even casting vote with the same parameters would result in different effective vote - we still don't allow it, possibly because it is very easy for user to vote twice by accident). The same is not true for change_recovery_account_operation
. There are three problems:
- it is not possible to clear recovery account to set recovery for most voted witness (given
new_recovery_account
must exist) - it is possible to request change to recovery agent that is already set (when request exists such action removes the request, which means there can be a race condition between transactions that set and clear request)
- it is possible to request change to recovery agent that was already requested (such operation only resets timer)
I think the following fixes are needed (requires hardfork):
- it should be possible to pass empty string as
new_recovery_account
(if we want functionality of recovery by top voted witness - so far it only worked for mined accounts as far as I know) - request to change agent to the one already set should only be possible as a mean of clearing existing change request (fail on no pending request)
- request to change agent when there is pending request should point at different agent than the one already requested