RequestApprovalResponderView misses empty rwset checks #1230
Description
The RequestApprovalResponderView receives a transaction object from the network. From it, it extracts a token request, validates it, obtains actions whose rwset is added to the transaction before endorsing. However, the view does not verify that the transaction object does not contain a pre-existing read-write set. This means that the FSC node might be tricked into endorsing a larger set of actions than intended.
An attacker exploiting this bug might forge arbitrary tokens.