The Standard

Summary

The function distributeAssets in the LiquidationPool contract retrieves data from Chainlink's latestRoundData function but does not implement a check for the age of the data. The timestamp returned by the function is not compared against the current block timestamp to ensure its recency. Consequently, the contract may operate on outdated information.

Vulnerability Details

Not checking the data received from latestRoundData can result in incorrect calculations regarding the price of tokens. This can be caused by a variety of innocent or malicious factors. Additionally, as this function can be called externally with no access control mechanisms, a malicious actor can easily check for the staleness of the Chainlink feed themselves, and call the contract when it may favor them.

Impact

Using stale price data can cause the contract to operate with values which do not reflect the actual price of the tokens. This will directly affect the costInEuros variable which directly affects the _portion variable which is the value used in safeTransferFrom. This will transfer an incorrect amount of funds.

Tools Used

Manual Review

Recommendations

Implement a Staleness check. Modify the smart contract to compare the timestamp from latestRoundData with the current block timestamp. Define a maximum acceptable age for the data based on the data feed and revert the transaction if the data is older.

Additionally, the contract should not assume that the heartbeat for the price feeds are the same when implementing this change.

Read more about Chainlink data feeds here:
https://docs.chain.link/data-feeds/