Relevant GitHub Links
Summary
ChainlinkARBOracle.consult will revert phase id was increased for chainlink aggregator, because wrong round will be requested instead of previous one.
Vulnerability Details
In order to validate chainlink price ChainlinkARBOracle fetched answer for current and previous rounds.
In order to get the previous round, roundId from current response is used. So just
roundId - 1
is requested.Round id in the chainlink consists of phaseId and aggregatorRoundId. In case if new aggregator is used, then phaseId is increased.
So the problem occurs when new aggregator is used and it has only the first round. Then
roundId - 1
will not point to the last round of the previous aggregator, but it will be an incorrect round. As a result wrong answer will be returned and the call will likely revert.Impact
Call will revert as price will not be validated.
Tools Used
VsCode
Recommendations
It can be really complicated fix, where you need to parse roundId to know if phase was changed. I am not sure it worth it.