Hm, that's assuming the merchant keeps those accounts empty right? I think a workaround would be that as long as the merchant plans to use that account for his customers, it should never be empty (he asks the client to keep at least 0.01 NXT in there). If the client empties out his account, then the merchant simply generates a new one for the client to use next time and tells him to not use the old one because the client emptied it out.
The merchant one was just an example of one possible attack. I wouldn't be surprised if there were many others.
Speaking of attack, I'm very disappointed in Emule. I guess it's time to cancel my 0.00005 buy order and move it up.
