J4de
medium
The LenderCommitmentForwarder.sol contract does not require any cost to issue a commitment
File: LenderCommitmentForwarder.sol
177 function createCommitment(
178 Commitment calldata _commitment,
179 address[] calldata _borrowerAddressList
180 ) public returns (uint256 commitmentId_) {
181 commitmentId_ = commitmentCount++;
182
183 require(
184 _commitment.lender == _msgSender(),
185 "unauthorized commitment creator"
186 );
187
188 commitments[commitmentId_] = _commitment;
189
190 //make sure the commitment data adheres to required specifications and limits
191 validateCommitment(commitments[commitmentId_]);
192
193 //the borrower allowlists is in a different storage space so we append them to the array with this method s
194 _addBorrowersToCommitmentAllowlist(commitmentId_, _borrowerAddressList);
195
196 emit CreatedCommitment(
197 commitmentId_,
198 _commitment.lender,
199 _commitment.marketId,
200 _commitment.principalTokenAddress,
201 _commitment.maxPrincipal
202 );
203 }Lenders can create commitments in the LenderCommitmentForwarder.sol contract. Each commitment represents a loan, which contains information such as the principal amount of the loan, the loan interest rate and the required collateral, etc. Borrowers can browse each loan in the LenderCommitmentForwarder.sol contract and choose the appropriate one to borrow.
The problem is that LenderCommitmentForwarder.sol releases commitments with zero cost, and attackers can maliciously spread various preferential but invalid loans, disrupting the entire market.
Disrupting the LenderCommitmentForwarder.spl contract market
Manual Review
It is recommended to deposit a part of the loan when releasing the commitment.