Summary

In scenarios where Chainlink is employed on Layer 2 chains like Arbitrum, it's crucial to verify the freshness of price feeds, particularly during periods when the sequencer might be offline. This oversight in the LiquidationPool.distributeAssets() function creates a vulnerability that could be exploited by attackers for undue benefit.

Vulnerability Details

The code in LiquidationPool.distributeAssets() does not include a mechanism to check if the Arbitrum sequencer is down. This omission is evident in the referenced lines of code:

• Line 207 of LiquidationPool.sol

• Line 218 of LiquidationPool.sol

Impact

This vulnerability, if not addressed, opens a window for malevolent entities to exploit the system, leveraging outdated or incorrect price feeds to their advantage.

Tools Used

Manual Review

Recommendations

To mitigate this issue, it is advised to implement a check for the Arbitrum sequencer's status in Chainlink feeds. For guidance on how to incorporate such a check, refer to the Chainlink documentation, specifically the section on L2 sequencer feeds with example code. This will ensure that the prices used are current and reliable, safeguarding the system against potential exploitation.