Summary

Chainlink docs recommends that the updatedAt timestamp returned from the latestRoundData() function call should be validated to ensure the price is not stale.

Vulnerability Details

In The LiquidationPool.sol#distributeAssets(...) function, the chainlink's latestRoundData() is used to get the price of token but the timestamp at which these prices were last updated where not validated as recommended by Chainlink docs:

"Your application should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it. If your application detects that the reported answer is not updated within the heartbeat or within time limits that you determine are acceptable for your application, pause operation or switch to an alternate operation mode while identifying the cause of the delay. Chainlink Price Feeds do not provide streaming data. Rather, the aggregator updates its latestAnswer when the value deviates beyond a specified threshold or when the heartbeat idle time has passed. You can find the heartbeat and deviation values for each data feed at data.chain.link or in the Contract Addresses lists."

source: https://docs.chain.link/data-feeds/price-feeds/addresses/?network=arbitrum&page=1
Each pricefeed also have their own heartbeat.

Impact

Potential loss of assets due to using an old price.

Tools Used

Manual Review

Recommendations

use the returned updatedAt timestamp to validate that the price returned is not an old one.
Ensure to use the specific heartbeat for each price feed as recommended by chainlink because some price feed has 24hr heartbeat while some have just 1 hour heartbeat.