Summary

When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down.

Vulnerability Details

There is no check in the distributeAssets, which could lead to a stale price being used when calculating cost in euros:
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd) * _hundredPC / _collateralRate;
Some disregard sequencer issues or downgrade them, but the recent sequencer downtime from December 2023 shows the issue is quite real, so I opt out for the historic Medium of such findings. More info: https://dedaub.com/blog/arbitrum-sequencer-outage

Impact

Incorrect prices, potential unfairness

Tools Used

Manual Review

Recommendations

Follow Chainlink's guidelines: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code