I wanted to brainstorm refund addresses in metaexchange. As it stands bitcoin transactions are refunded if necessary and sent back to where they came from. This is fine mostly, except when users withdraw from an exchange or hosted wallet of some kind where they don't own the addresses they send from.
We could add a 'refund address' parameter to metaexchange to fix this problem, but it can be gamed because we store and associate data with the bitshares account name (deposit address, and soon price and expiry time). An attacker could simply run through all bitshares account names on the site adding their own bitcoin address as the refund address for each account.
You might suggest that we don't store refund address in the DB, making them single use. The problem with that is people often store their metaexchange deposit addresses in their wallet and don't even use the site at all when they want to convert funds (which is entirely within our design spec).
I'd love to hear if anyone has an alternative to address this problem?