The Standard

Summary

The function distributeAssets in the LiquidationPool contract retrieves data from Chainlink's latestRoundData function but does not implement a check for the L2 sequencer. Consequently, the contract may operate on outdated or invalid information.

As it seems this contract will be deployed on an L2 (Arbitrum One) a check for the L2 sequencer is needed:

From the readme.md
"The live version of these contracts (deployed to Arbitrum One) have some key external dependencies:"

Vulnerability Details

Not checking the L2 sequencer before calling latestRoundData can result in incorrect calculations regarding the price of tokens. If the sequencer is down, the Chainlink price feed will still return data even if the price has changed since the sequencer went down. This will bypass a staleness check (which the contract does not have) as the data will appear to be fresh even if the data is stale due to the sequencer not updating properly.

Impact

Using stale price data can cause the contract to operate with values which do not reflect the actual price of the tokens. This will directly affect the costInEuros variable which directly affects the _portion variable which is the value used in safeTransferFrom. This will transfer an incorrect amount of funds.

Tools Used

Manual Review

Recommendations

Implement a check for the L2 sequencer. Modify the smart contract to check if the L2 sequencer is available before calling for the latestRoundData. Implement the relevant logic if the sequencer is down, such as reverting the transaction.

See the chainlink docs for more information.
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code